091 – Log injection

Description

The system logs entries that contain input from untrusted sources without properly validating, sanitizing or escaping their content.

Impact

Inject code or fake inputs in the systems log, compromising the integrity of logs, or in the worst case, the system of who is viewing the logs.

Recommendation

Sanitize inputs before storing them in the log.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 080 - Prevent log modification
• 173 - Discard unsafe inputs

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/12