CVE-2022-32549

CWE-117 CWE-1165 documents5 sources

Severity

5.3MEDIUM

EPSS

2.9%

top 13.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Sling Apache Sling API Apache Sling Commons LOG

Timeline

PublishedJun 22

Latest updateJun 23

Description

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶NVDapache/sling_commons_log5.4.0

▶Mavenorg.apache.sling:org.apache.sling.commons.log5.4.0

▶NVDapache/sling_api2.25.0

▶Mavenorg.apache.sling:org.apache.sling.api2.25.0

▶CVEListV5apache_software_foundation/apache_slingApache Sling API — 2.25.0+1

🔴Vulnerability Details

GHSA

Log Injection in Apache Sling Commons Log and Apache Sling API↗2022-06-23

▶

OSV

Log Injection in Apache Sling Commons Log and Apache Sling API↗2022-06-23

▶

CVEList

log injection in Sling logging↗2022-06-22

▶

📋Vendor Advisories

Red Hat

Sling: log injection in Sling logging↗2022-06-22

▶