6.5
CVE-2021-42250
- EPSS 1.76%
- Veröffentlicht 17.11.2021 15:15:08
- Zuletzt bearbeitet 21.11.2024 06:27:27
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Possible log injection
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.76% | 0.751 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-117 Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
http://www.openwall.com/lists/oss-security/2021/11/17/2
https://lists.apache.org/thread/53lkszw6d3tybp5t99nvgcj538b9trw9