Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-117 (日志输出的转义处理不恰当) — Vulnerability Class 81

81 vulnerabilities classified as CWE-117 (日志输出的转义处理不恰当). AI Chinese analysis included.

CWE-117 represents an input validation weakness where applications fail to properly sanitize external data before writing it to log files. This vulnerability allows attackers to inject malicious log entries, often by manipulating fields like usernames or URLs that are directly incorporated into log messages. Exploitation typically involves injecting newline characters or log-specific formatting codes to forge entries, which can obscure legitimate activity, create false alerts, or facilitate log injection attacks that lead to cross-site scripting or server-side request forgery. To prevent this, developers must implement strict output encoding and validation routines specifically for logging contexts. By treating all external input as untrusted and applying context-aware neutralization techniques, such as escaping special characters or using structured logging frameworks, engineers ensure that log data remains safe and interpretable, thereby maintaining the integrity and reliability of system audit trails.

MITRE CWE Description
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
Common Consequences (1)
Integrity, Confidentiality, Availability, Non-RepudiationModify Application Data, Hide Activities, Execute Unauthorized Code or Commands
Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appr…
Mitigations (3)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (1)
The following web application code attempts to read an integer value from a request object. If the parseInt call fails, then the input is logged with an error message indicating what happened.
String val = request.getParameter("val"); try { int value = Integer.parseInt(val); } catch (NumberFormatException) { log.info("Failed to parse val = " + val); } ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-1711 Hitachi FOXMAN-UN 安全漏洞 — FOXMAN-UN 4.0 Medium2023-05-30
CVE-2023-0595 EcoStruxure Geo SCADA Expert 安全漏洞 — EcoStruxure Geo SCADA Expert 2019 5.3 Medium2023-02-24
CVE-2015-10011 OpenDNS OpenResolve endpoints.py neutralization for logs — OpenResolve 4.6 Medium2023-01-02
CVE-2022-1522 Cognex 3D-A1000 Dimensioning System Improper Output Neutralization for Logs — 3D-A1000 Dimensioning System 5.3 Medium2022-09-06
CVE-2022-32549 log injection in Sling logging — Apache Sling 5.3 -2022-06-22
CVE-2021-23266 Improper Output Neutralization for Logs in Crafter Studio — Crafter CMS 4.3 Medium2022-05-16
CVE-2022-22151 Yokogawa Exaopc 安全漏洞 — CENTUM CS 3000 8.1 -2022-03-11
CVE-2021-43410 airavata-django-portal allows CRLF log injection because of the lack of escaping in the log statements — Apache Airavata Django Portal 5.3 -2021-12-09
CVE-2021-42250 Possible log injection — Apache Superset 6.5 -2021-11-17
CVE-2021-22096 Vmware Spring Framework 安全漏洞 — Spring Framework 4.3 -2021-10-28
CVE-2021-20333 Server log entry spoofing via newline injection — MongoDB Server 5.3 Medium2021-07-23
CVE-2020-25646 Red Hat Ansible 安全漏洞 — Community Collections 7.5 High2020-10-29
CVE-2020-11644 GateManager Audit Message Spoofing Vulnerability — GateManager 6.5 Medium2020-10-15
CVE-2020-14332 Red Hat Ansible 日志信息泄露漏洞 — Ansible 5.5 Medium2020-09-11
CVE-2020-4072 Log Forging in generator-jhipster-kotlin — jhipster-kotlin 5.3 Medium2020-06-25
CVE-2019-14854 Red Hat OpenShift Container Platform 日志信息泄露漏洞 — library-go 6.5 -2020-01-07
CVE-2019-14864 Ansible 日志信息泄露漏洞 — Ansible 6.5 -2020-01-02
CVE-2019-10213 Red Hat OpenShift Container Platform 日志信息泄露漏洞 — openshift 6.5 -2019-11-25
CVE-2019-14858 Red Hat Ansible Tower和Engine 日志信息泄露漏洞 — Ansible 5.5 -2019-10-14
CVE-2019-14846 红帽 Ansible 日志信息泄露漏洞 — Ansible 7.1 -2019-10-08
CVE-2018-10932 lldpd 缓冲区错误漏洞 — lldptool 7.5 -2018-08-21

Vulnerabilities classified as CWE-117 (日志输出的转义处理不恰当) represent 81 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.