CWE-117
AllowedImproper Output Neutralization for Logs
Abstraction: Base · Status: Draft
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
193 vulnerabilities reference this CWE, most recent first.
GHSA-MRRP-VRQF-8VQM
Vulnerability from github – Published: 2024-06-14 00:33 – Updated: 2024-06-14 00:33NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where a user can inject forged logs and executable commands by injecting arbitrary data as a new log entry. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2024-0095"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T22:15:13Z",
"severity": "CRITICAL"
},
"details": "NVIDIA Triton Inference Server for Linux and Windows contains a vulnerability where a user can inject forged logs and executable commands by injecting arbitrary data as a new log entry. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.",
"id": "GHSA-mrrp-vrqf-8vqm",
"modified": "2024-06-14T00:33:07Z",
"published": "2024-06-14T00:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0095"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5546"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MVPQ-R829-8JX3
Vulnerability from github – Published: 2024-08-29 15:30 – Updated: 2024-08-29 15:30A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_middleware.go. The manipulation of the argument Authorization leads to improper output neutralization for logs. It is possible to launch the attack remotely. The name of the patch is 81b3336b4c9240f0bf50c13cb8375cf860d945f1. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2024-8297"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T13:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_middleware.go. The manipulation of the argument Authorization leads to improper output neutralization for logs. It is possible to launch the attack remotely. The name of the patch is 81b3336b4c9240f0bf50c13cb8375cf860d945f1. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-mvpq-r829-8jx3",
"modified": "2024-08-29T15:30:33Z",
"published": "2024-08-29T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8297"
},
{
"type": "WEB",
"url": "https://github.com/kitsada8621/Digital-Library-Management-System/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/kitsada8621/Digital-Library-Management-System/commit/81b3336b4c9240f0bf50c13cb8375cf860d945f1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.276072"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.276072"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.394613"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MVW9-7543-RJJG
Vulnerability from github – Published: 2023-10-23 00:30 – Updated: 2023-11-01 18:30iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize ssh hostnames in URLs. The hostname's initial character may be non-alphanumeric. The hostname's other characters may be outside the set of alphanumeric characters, dash, and period.
{
"affected": [],
"aliases": [
"CVE-2023-46322"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T00:15:08Z",
"severity": "CRITICAL"
},
"details": "iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize ssh hostnames in URLs. The hostname\u0027s initial character may be non-alphanumeric. The hostname\u0027s other characters may be outside the set of alphanumeric characters, dash, and period.",
"id": "GHSA-mvw9-7543-rjjg",
"modified": "2023-11-01T18:30:30Z",
"published": "2023-10-23T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46322"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnachman/iterm2/-/commit/ef7bb84520013b2524df9787d4aa9f2c96746c01"
},
{
"type": "WEB",
"url": "https://iterm2.com/downloads.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P56W-H56Q-C97X
Vulnerability from github – Published: 2023-11-08 00:30 – Updated: 2023-11-15 15:30YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.
{
"affected": [],
"aliases": [
"CVE-2023-6002"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-08T00:15:08Z",
"severity": "HIGH"
},
"details": "YugabyteDB is vulnerable to cross site scripting (XSS) via log injection.\u00a0Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.\n",
"id": "GHSA-p56w-h56q-c97x",
"modified": "2023-11-15T15:30:20Z",
"published": "2023-11-08T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6002"
},
{
"type": "WEB",
"url": "https://www.yugabyte.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PFXF-WH96-FVJC
Vulnerability from github – Published: 2020-06-25 20:02 – Updated: 2021-01-07 23:50Impact
We log the mail for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries. This is vulnerable to https://cwe.mitre.org/data/definitions/117.html
This problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable.
Patches
version 1.7.0.
Workarounds
In AccountResource.kt you should change the line
log.warn("Password reset requested for non existing mail '$mail'");
to
log.warn("Password reset requested for non existing mail");
References
- https://cwe.mitre.org/data/definitions/117.html
- https://owasp.org/www-community/attacks/Log_Injection
- https://www.baeldung.com/jvm-log-forging
For more information
If you have any questions or comments about this advisory: * Open an issue in jhipster kotlin
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "generator-jhipster-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.0"
]
}
],
"aliases": [
"CVE-2020-4072"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-25T20:02:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nWe log the mail for invalid password reset attempts. \nAs the email is provided by a user and the api is public this can be used by an attacker to forge log entries.\nThis is vulnerable to https://cwe.mitre.org/data/definitions/117.html\n\nThis problem affects only application generated with jwt or session authentication. Applications using oauth are not vulnerable.\n\n### Patches\n\nversion 1.7.0.\n\n### Workarounds\n\nIn `AccountResource.kt` you should change the line\n\n```kotlin\n log.warn(\"Password reset requested for non existing mail \u0027$mail\u0027\");\n```\n\nto \n\n```kotlin\n log.warn(\"Password reset requested for non existing mail\");\n```\n\n### References\n\n* https://cwe.mitre.org/data/definitions/117.html\n* https://owasp.org/www-community/attacks/Log_Injection\n* https://www.baeldung.com/jvm-log-forging\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [jhipster kotlin](https://github.com/jhipster/jhipster-kotlin)",
"id": "GHSA-pfxf-wh96-fvjc",
"modified": "2021-01-07T23:50:00Z",
"published": "2020-06-25T20:02:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-pfxf-wh96-fvjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4072"
},
{
"type": "WEB",
"url": "https://github.com/jhipster/jhipster-kotlin/commit/426ccab85e7e0da562643200637b99b6a2a99449"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Log_Injection"
},
{
"type": "WEB",
"url": "https://www.baeldung.com/jvm-log-forging"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Log Forging in generator-jhipster-kotlin"
}
GHSA-PM48-CVV2-29Q5
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-09-09 21:12Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14846"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T22:21:08Z",
"nvd_published_at": "2019-10-08T19:15:00Z",
"severity": "HIGH"
},
"details": "Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.",
"id": "GHSA-pm48-cvv2-29q5",
"modified": "2024-09-09T21:12:08Z",
"published": "2022-05-24T16:58:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14846"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/63366"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3202"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3203"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3207"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0756"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible Uses Plugins That Disclose Credentials"
}
GHSA-PR3P-HV9Q-44XX
Vulnerability from github – Published: 2023-07-11 03:30 – Updated: 2024-04-04 05:54While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.
{
"affected": [],
"aliases": [
"CVE-2023-36924"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T03:15:10Z",
"severity": "MODERATE"
},
"details": "While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application.\n\n",
"id": "GHSA-pr3p-hv9q-44xx",
"modified": "2024-04-04T05:54:45Z",
"published": "2023-07-11T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36924"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3351410"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QMX3-M648-HR74
Vulnerability from github – Published: 2022-06-23 00:00 – Updated: 2022-07-05 18:03Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.sling:org.apache.sling.commons.log"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.sling:org.apache.sling.api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-32549"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T17:48:50Z",
"nvd_published_at": "2022-06-22T15:15:00Z",
"severity": "MODERATE"
},
"details": "Apache Sling Commons Log \u003c= 5.4.0 and Apache Sling API \u003c= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.",
"id": "GHSA-qmx3-m648-hr74",
"modified": "2022-07-05T18:03:15Z",
"published": "2022-06-23T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32549"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Log Injection in Apache Sling Commons Log and Apache Sling API"
}
GHSA-QRH5-JG98-CR48
Vulnerability from github – Published: 2025-09-17 15:30 – Updated: 2025-11-05 20:45In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including jenkins.log and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.
This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.
Jenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: [CR], [LF], or [CRLF] (representing the kind of line break), followed by > .
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.516.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.517"
},
{
"fixed": "2.528"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59476"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T20:35:34Z",
"nvd_published_at": "2025-09-17T14:15:41Z",
"severity": "MODERATE"
},
"details": "In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including `jenkins.log` and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.\n\nThis allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.\n\nJenkins 2.528, LTS 2.516.3 adds an indicator at the beginning of a line that was inserted as part of log message content: `[CR]`, `[LF]`, or `[CRLF]` (representing the kind of line break), followed by `\u003e` .",
"id": "GHSA-qrh5-jg98-cr48",
"modified": "2025-11-05T20:45:10Z",
"published": "2025-09-17T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59476"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3424"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins has a log message injection vulnerability"
}
GHSA-QWVC-M955-QJ8V
Vulnerability from github – Published: 2026-03-26 00:30 – Updated: 2026-03-26 00:30IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files.
{
"affected": [],
"aliases": [
"CVE-2025-14684"
],
"database_specific": {
"cwe_ids": [
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T22:16:18Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files.",
"id": "GHSA-qwvc-m955-qj8v",
"modified": "2026-03-26T00:30:55Z",
"published": "2026-03-26T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14684"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7267481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-268: Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.