CVE-2024-21645 - Vulnerability Details - OpenCVE

Description

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

Published: 2024-01-08

Score: 5.3 Medium

EPSS: 71.3% High

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pyload

pyload

affected

Version	Status	Constraints
`< 0.5.0b3.dev77`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:pyload:pyload::::::::
	cpe:2.3:a:pyload:pyload:0.5.0:beta1::::::
	cpe:2.3:a:pyload:pyload:0.5.0:beta2::::::

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-ghmw-rwh8-6qmr	pyload Log Injection vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.71322.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d
https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr

History

Thu, 14 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Pyload Pyload

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-08T13:20:47.181Z

Updated: 2024-11-14T17:38:32.866Z

Reserved: 2023-12-29T03:00:44.958Z

Link: CVE-2024-21645

Vulnrichment

Updated: 2024-08-01T22:27:35.862Z

NVD

Status : Modified

Published: 2024-01-08T14:15:47.420

Modified: 2024-11-21T08:54:47.520

Link: CVE-2024-21645

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-74

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21645", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.958Z", "datePublished": "2024-01-08T13:20:47.181Z", "dateUpdated": "2024-11-14T17:38:32.866Z"}, "containers": {"cna": {"title": "pyLoad Log Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev77", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T13:20:47.181Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}], "source": {"advisory": "GHSA-ghmw-rwh8-6qmr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.862Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-17T21:13:17.262265Z", "id": "CVE-2024-21645", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T17:38:32.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.862Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21645", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-17T21:13:17.262265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T17:38:29.689Z"}}], "cna": {"title": "pyLoad Log Injection", "source": {"advisory": "GHSA-ghmw-rwh8-6qmr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "< 0.5.0b3.dev77"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T13:20:47.181Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21645", "state": "PUBLISHED", "dateUpdated": "2024-11-14T17:38:32.866Z", "dateReserved": "2023-12-29T03:00:44.958Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-08T13:20:47.181Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "71C7D7BA-743B-4C43-B77C-E6C1A6ACFE7E", "versionEndIncluding": "0.4.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload:pyload:0.5.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3040B5C9-171B-40D9-83CB-CD529DC046ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload:pyload:0.5.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "78FA70FC-0CFE-4E89-9274-1670E1204B61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}, {"lang": "es", "value": "pyLoad es el administrador de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. Se identific\u00f3 una vulnerabilidad de inyecci\u00f3n de registros en \"pyload\" que permite a cualquier actor no autenticado inyectar mensajes arbitrarios en los registros recopilados por \"pyload\". Los archivos de registro corruptos, falsificados o no, se pueden utilizar para cubrir las huellas de un atacante o incluso para implicar a otra parte en la comisi\u00f3n de un acto malicioso. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.5.0b3.dev77."}], "id": "CVE-2024-21645", "lastModified": "2024-11-21T08:54:47.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-08T14:15:47.420", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}