airavata-django-portal allows CRLF log injection because of the lack of escaping in the log statements
CVE-2021-43410

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airavata Django Portal
Vendor: CVE Published:; 9 December 2021

Summary

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170

Affected Version(s)

Apache Airavata Django Portal master branch

References

https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nys...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 9, 2021
Vulnerability Reserved
Nov 6, 2021

Credit

Apache Airavata would like to thank haby0 of Duxiaoman Financial Security Team for reporting this vulnerability.