CVE-2024-21645 - Vulnerability Details - OpenCVE

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Pyload	Pyload

Configuration 1 [-]

OR	cpe:2.3:a:pyload:pyload::::::::
	cpe:2.3:a:pyload:pyload:0.5.0:beta1::::::
	cpe:2.3:a:pyload:pyload:0.5.0:beta2::::::

No data.

References

Link	Providers
https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d
https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr

History

Thu, 14 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-08T13:20:47.181Z

Updated: 2024-11-14T17:38:32.866Z

Reserved: 2023-12-29T03:00:44.958Z

Link: CVE-2024-21645

Vulnrichment

Updated: 2024-08-01T22:27:35.862Z

NVD

Status : Modified

Published: 2024-01-08T14:15:47.420

Modified: 2024-11-21T08:54:47.520

Link: CVE-2024-21645

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21645", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.958Z", "datePublished": "2024-01-08T13:20:47.181Z", "dateUpdated": "2024-11-14T17:38:32.866Z"}, "containers": {"cna": {"title": "pyLoad Log Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"version": "< 0.5.0b3.dev77", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T13:20:47.181Z"}, "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}], "source": {"advisory": "GHSA-ghmw-rwh8-6qmr", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.862Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-17T21:13:17.262265Z", "id": "CVE-2024-21645", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T17:38:32.866Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.862Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21645", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-17T21:13:17.262265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T17:38:29.689Z"}}], "cna": {"title": "pyLoad Log Injection", "source": {"advisory": "GHSA-ghmw-rwh8-6qmr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pyload", "product": "pyload", "versions": [{"status": "affected", "version": "< 0.5.0b3.dev77"}]}], "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "name": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "name": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-08T13:20:47.181Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21645", "state": "PUBLISHED", "dateUpdated": "2024-11-14T17:38:32.866Z", "dateReserved": "2023-12-29T03:00:44.958Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-08T13:20:47.181Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*", "matchCriteriaId": "71C7D7BA-743B-4C43-B77C-E6C1A6ACFE7E", "versionEndIncluding": "0.4.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload:pyload:0.5.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3040B5C9-171B-40D9-83CB-CD529DC046ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:pyload:pyload:0.5.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "78FA70FC-0CFE-4E89-9274-1670E1204B61", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker\u2019s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.\n"}, {"lang": "es", "value": "pyLoad es el administrador de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. Se identific\u00f3 una vulnerabilidad de inyecci\u00f3n de registros en \"pyload\" que permite a cualquier actor no autenticado inyectar mensajes arbitrarios en los registros recopilados por \"pyload\". Los archivos de registro corruptos, falsificados o no, se pueden utilizar para cubrir las huellas de un atacante o incluso para implicar a otra parte en la comisi\u00f3n de un acto malicioso. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.5.0b3.dev77."}], "id": "CVE-2024-21645", "lastModified": "2024-11-21T08:54:47.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-08T14:15:47.420", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}