CVE-2024-21645 – pyload-ng

Package

Manager: pip
Name: pyload-ng
Vulnerable Version: >=0 <0.5.0b3.dev77

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.72619 pctl0.98725

Details

pyload Log Injection vulnerability ### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` We can now sign in as the pyload user and view the logs at `http://localhost:8000/logs`.  Any unauthenticated attacker can now make the following request to inject arbitrary logs. ``` curl 'http://localhost:8000/login?next=http://localhost:8000/' -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-raw $'do=login&username=wrong\'%0a[2024-01-05 02:49:19] HACKER PinkDraconian THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login' ``` If we now were to look at the logs again, we see that the entry has successfully been injected.  ### Impact Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.

Metadata

Created: 2024-01-08T15:29:55Z
Modified: 2024-01-08T15:55:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-ghmw-rwh8-6qmr/GHSA-ghmw-rwh8-6qmr.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-ghmw-rwh8-6qmr
Finding: F184
Auto approve: 1