{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.399Z", "datePublished": "2025-02-12T16:20:46.865Z", "dateUpdated": "2025-02-14T19:48:00.607Z"}, "containers": {"cna": {"title": "Possible Log Injection in Rack::CommonLogger", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-117", "lang": "en", "description": "CWE-117: Improper Output Neutralization for Logs", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg"}, {"name": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": "< 2.2.11", "status": "affected"}, {"version": ">= 3.0, < 3.0.12", "status": "affected"}, {"version": ">= 3.1, < 3.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-14T19:48:00.607Z"}, "descriptions": [{"lang": "en", "value": "Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix."}], "source": {"advisory": "GHSA-7g2v-jj9q-g3rg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T19:09:07.706810Z", "id": "CVE-2025-25184", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:09:12.443Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T19:09:07.706810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:09:01.062Z"}}], "cna": {"title": "Possible Log Injection in Rack::CommonLogger", "source": {"advisory": "GHSA-7g2v-jj9q-g3rg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"status": "affected", "version": "< 2.2.11"}, {"status": "affected", "version": ">= 3.0, < 3.0.12"}, {"status": "affected", "version": ">= 3.1, < 3.1.11"}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg", "name": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e", "name": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.11, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.11 contain a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T16:20:46.865Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25184", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:09:12.443Z", "dateReserved": "2025-02-03T19:30:53.399Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-12T16:20:46.865Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix."}, {"lang": "es", "value": "Rack proporciona una interfaz para desarrollar aplicaciones web en Ruby. Antes de las versiones 2.2.11, 3.0.12 y 3.1.11, Rack::CommonLogger se puede explotar creando entradas que incluyan caracteres de nueva l\u00ednea para manipular las entradas del registro. La prueba de concepto proporcionada demuestra la inyecci\u00f3n de contenido malicioso en los registros. Cuando un usuario proporciona las credenciales de autorizaci\u00f3n a trav\u00e9s de Rack::Auth::Basic, si tiene \u00e9xito, el nombre de usuario se colocar\u00e1 en env['REMOTE_USER'] y luego ser\u00e1 utilizado por Rack::CommonLogger para fines de registro. El problema ocurre cuando un servidor intencional o involuntariamente permite la creaci\u00f3n de un usuario con el nombre de usuario que contiene caracteres CRLF y espacios en blanco, o el servidor solo desea registrar cada intento de inicio de sesi\u00f3n. Si un atacante ingresa un nombre de usuario con caracteres CRLF, el registrador registrar\u00e1 el nombre de usuario malicioso con caracteres CRLF en el archivo de registro. Los atacantes pueden romper los formatos de registro o insertar entradas fraudulentas, lo que podr\u00eda ocultar la actividad real o inyectar datos maliciosos en los archivos de registro. Las versiones 2.2.11, 3.0.12 y 3.1.11 contienen una correcci\u00f3n."}], "id": "CVE-2025-25184", "lastModified": "2025-02-14T20:15:34.350", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-12T17:15:24.000", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e"}, {"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-117"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v5.9.12-13", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v5.9.12-6", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-341", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/fluentd-rhel9:v5.9.12-3", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-322", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/logging-loki-rhel9:v3.3.2-16", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/logging-view-plugin-rhel9:v5.9.12-3", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/loki-operator-bundle:v5.9.12-11", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/loki-rhel9-operator:v5.9.12-4", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-735", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-351", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:1985", "cpe": "cpe:/a:redhat:logging:5.9::el9", "package": "openshift-logging/vector-rhel9:v0.34.1-33", "product_name": "RHOL-5.9-RHEL-9", "release_date": "2025-03-05T00:00:00Z"}], "bugzilla": {"description": "rubygem-rack: Possible Log Injection in Rack::CommonLogger", "id": "2345301", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345301"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "(CWE-117|CWE-93)", "details": ["Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.", "A flaw was found in the rubygem-rack package. When a user provides the authorization credentials via Rack::Auth::Basic, if successful, the username is placed in env['REMOTE_USER'] and later used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username containing CRLF and white space characters or the server logs every login attempt. If an attacker enters a username with a CRLF character, the logger will log the malicious username with CRLF characters into the logfile. This flaw allows attackers to break log formats or insert fraudulent entries, potentially obscuring activity or injecting malicious data into log files."], "name": "CVE-2025-25184", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-zync-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ruby-30", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ruby-31", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ruby-33", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "rubygem-rack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Out of support scope", "package_name": "rubygem-rack", "product_name": "Red Hat Storage 3"}], "public_date": "2025-02-12T16:20:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25184\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25184\nhttps://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e\nhttps://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg"], "threat_severity": "Moderate"}