CVE-2024-21645
published 2024-01-08CVE-2024-21645: pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any…
PriorityP353medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
24.51%
97.6th percentile
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev77 | 0.5.0b3.dev77 |
| pyload | pyload | < 0.5.0b3.dev77 | 0.5.0b3.dev77 |
| pyload | pyload | <= 0.4.9 | — |
| pyload | pyload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commanddo=login&username={{randstr}}\'%0a[1970-01-01 00:00:00] INJECTED {{str}} THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login↗
- →Log injection payload delivered via the `username` field of the pyLoad login endpoint using a URL-encoded newline (%0a) to forge log entries. Look for `%0a` or newline characters in POST body to `/login`. ↗
- →Successful exploitation is confirmed by the injected string appearing verbatim in the response body when accessing the `/logs` endpoint after the forged login attempt. ↗
- →Shodan/FOFA fingerprinting queries for exposed pyLoad instances: search for HTTP title 'login - pyload' or HTML body containing 'pyload'. ↗
- →The vulnerability is unauthenticated — no credentials are required to inject log entries. Monitor POST requests to /login with newline characters (%0a or \n) in the username parameter. ↗
- ·The vulnerability is fixed in pyLoad version 0.5.0b3.dev77 and later. Instances running versions prior to this are affected. ↗
- ·The Nuclei template uses two sequential requests: the first injects the forged log entry, the second authenticates to /logs to verify the injected content appears in the response. Both requests must succeed (HTTP 200 after redirect) for a positive match. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyload Log Injection vulnerability
osv·2024-01-08
CVE-2024-21645 [MEDIUM] pyload Log Injection vulnerability
pyload Log Injection vulnerability
### Summary
A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`.
### Details
`pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file.
### PoC
Run `pyload` in the default configuration by running the following command
```
pyload
```
We can now sign in as the pyload user and view the logs at `http://localhost:8000/log
GHSA
pyload Log Injection vulnerability
ghsa·2024-01-08
CVE-2024-21645 [MEDIUM] CWE-74 pyload Log Injection vulnerability
pyload Log Injection vulnerability
### Summary
A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`.
### Details
`pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file.
### PoC
Run `pyload` in the default configuration by running the following command
```
pyload
```
We can now sign in as the pyload user and view the logs at `http://localhost:8000/log
No detection rules found.
Nuclei
pyload - Log Injection
nuclei·CVSS 5.3
CVE-2024-21645 [MEDIUM] pyload - Log Injection
pyload - Log Injection
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
Template:
id: CVE-2024-21645
info:
name: pyload - Log Injection
author: isacaya
severity: medium
description: |
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
reference:
- https://github.com/advisories/GH
No writeups or analysis indexed.
https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381dhttps://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmrhttps://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381dhttps://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr
2024-01-08
Published