CVE-2021-43410

Published: Dec 9, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. In particular, some HTTP request parameters are logged without first being escaped. Versions affected: master branch before commit 3c5d8c7 [1] of airavata-django-portal [1] https://github.com/apache/airavata-django-portal/commit/3c5d8c72bfc3eb0af8693a655a5d60f9273f8170

Affected (1)

Products: Apache: Airavata Django Portal

1 product

Airavata Django Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Airavata Django Portal	Before 2021-12-06

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs.

References (2)

https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.apache.org/thread/q64h16ofdxk29soz3jj561nysnzcrl31

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.