Base Score

MEDIUM5.3

CVE-2022-32549

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. The ability to forge logs may allow an attacker to cover tracks by injecting fake logs and potentially corrupt log files.

VectorNETWORK

Published Bysecurity@apache.org

Published DateJun 22, 2022, 15:15

Affected Versions(2)

org.apache.sling:org.apache.sling.commons.log(Maven)

Introduced0

FixedN/A

LimitN/A

org.apache.sling:org.apache.sling.api(Maven)

Introduced0

FixedN/A

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.sling:org.apache.sling.commons.log(Maven)	0	N/A	N/A
org.apache.sling:org.apache.sling.api(Maven)	0	N/A	N/A

Weakness Type (CWE):CWE-116

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE

References

https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v

Base Score

MEDIUM5.3

Weakness Type (CWE):CWE-116

CVSS Metrics

Base Score

5.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

LOW

Availability (A)

NONE