CVE-2024-21645
pyload Log Injection vulnerability
Description
### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` We can now sign in as the pyload user and view the logs at `http://localhost:8000/logs`.  Any unauthenticated attacker can now make the following request to inject arbitrary logs. ``` curl 'http://localhost:8000/login?next=http://localhost:8000/' -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data-raw $'do=login&username=wrong\'%0a[2024-01-05 02:49:19] HACKER PinkDraconian THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login' ``` If we now were to look at the logs again, we see that the entry has successfully been injected.  ### Impact Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.
How to fix CVE-2024-21645
To remediate CVE-2024-21645, upgrade the affected package to a fixed version below.
- —upgrade to 0.5.0b3.dev77 or later
Is CVE-2024-21645 being exploited?
Likely — EPSS is 69.1%, placing CVE-2024-21645 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.