{"containers": {"cna": {"affected": [{"product": "Apache Sling", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.25.0", "status": "affected", "version": "Apache Sling API", "versionType": "custom"}, {"lessThanOrEqual": "5.4.0", "status": "affected", "version": "Apache Sling Commons Log", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."}], "descriptions": [{"lang": "en", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}], "metrics": [{"other": {"content": {"other": "important"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-22T14:25:10", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}], "source": {"discovery": "UNKNOWN"}, "title": "log injection in Sling logging", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-32549", "STATE": "PUBLIC", "TITLE": "log injection in Sling logging"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Sling", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache Sling API", "version_value": "2.25.0"}, {"version_affected": "<=", "version_name": "Apache Sling Commons Log", "version_value": "5.4.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Sling would like to thank Alex Collignon for reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "important"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-117: Improper Output Neutralization for Logs"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v", "refsource": "MISC", "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:46:43.499Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-32549", "datePublished": "2022-06-22T14:25:10", "dateReserved": "2022-06-08T00:00:00", "dateUpdated": "2024-08-03T07:46:43.499Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:sling_api:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DE53A5F-C5AF-4BC5-8E11-25974893ED3F", "versionEndIncluding": "2.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:sling_commons_log:*:*:*:*:*:*:*:*", "matchCriteriaId": "292B4F19-0D8F-4F97-918E-9A81CF040B6D", "versionEndIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files."}, {"lang": "es", "value": "Apache Sling Commons Log versiones anteriores a 5.4.0 incluy\u00e9ndola y Apache Sling API versiones anteriores a 2.25.0 incluy\u00e9ndola, son vulnerables a una inyecci\u00f3n de registros. La capacidad de falsificar registros puede permitir a un atacante cubrir sus huellas al inyectar registros falsos y corrompiendo potencialmente los archivos de registro"}], "id": "CVE-2022-32549", "lastModified": "2024-11-21T07:06:36.523", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-22T15:15:08.407", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Sling: log injection in Sling logging", "id": "2102810", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2102810"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-117", "details": ["Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.", "A flaw was found in Apache Sling Commons Log. This flaw allows an attacker to benefit from the flaw and forge logs, allowing cover tracks and potentially corrupting log files."], "name": "CVE-2022-32549", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.sling", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2022-06-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-32549\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32549"], "threat_severity": "Moderate"}