CVE-2022-32549 - OpenCVE

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Sling Api Sling Commons Log

Configuration 1 [-]

OR	cpe:2.3:a:apache:sling_api::::::::
	cpe:2.3:a:apache:sling_commons_log::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v
https://nvd.nist.gov/vuln/detail/CVE-2022-32549
https://www.cve.org/CVERecord?id=CVE-2022-32549

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-06-22T14:25:10

Updated: 2024-08-03T07:46:43.499Z

Reserved: 2022-06-08T00:00:00

Link: CVE-2022-32549

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-22T15:15:08.407

Modified: 2022-06-29T16:26:28.237

Link: CVE-2022-32549

Redhat

Severity : Moderate

Publid Date: 2022-06-22T00:00:00Z

Links: CVE-2022-32549 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Apache Sling", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.25.0", "status": "affected", "version": "Apache Sling API", "versionType": "custom"}, {"lessThanOrEqual": "5.4.0", "status": "affected", "version": "Apache Sling Commons Log", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}], "metrics": [{"other": {"content": {"other": "important"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-22T14:25:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}], "source": {"discovery": "UNKNOWN"}, "title": "log injection in Sling logging", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-32549", "STATE": "PUBLIC", "TITLE": "log injection in Sling logging"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Sling", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Sling API", "version_value": "2.25.0"}, {"version_affected": "<=", "version_name": "Apache Sling Commons Log", "version_value": "5.4.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "important"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-117: Improper Output Neutralization for Logs"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v", "refsource": "MISC", "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:46:43.499Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-32549", "datePublished": "2022-06-22T14:25:10", "dateReserved": "2022-06-08T00:00:00", "dateUpdated": "2024-08-03T07:46:43.499Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DE53A5F-C5AF-4BC5-8E11-25974893ED3F", "versionEndIncluding": "2.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:sling_commons_log:*:*:*:*:*:*:*:*", "matchCriteriaId": "292B4F19-0D8F-4F97-918E-9A81CF040B6D", "versionEndIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}, {"lang": "es", "value": "Apache Sling Commons Log versiones anteriores a 5.4.0 incluy\u00e9ndola y Apache Sling API versiones anteriores a 2.25.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro"}], "id": "CVE-2022-32549", "lastModified": "2022-06-29T16:26:28.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-22T15:15:08.407", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-117"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Sling: log injection in Sling logging", "id": "2102810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2102810"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-117", "details": ["Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.", "A flaw was found in Apache Sling Commons Log. This flaw allows an attacker to benefit from the flaw and forge logs, allowing cover tracks and potentially corrupting log files."], "name": "CVE-2022-32549", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2022-06-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-32549\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32549"], "threat_severity": "Moderate"}