CVE-2024-21645

Advisory

Pyload-ng versions before 0.5.0b3.dev77 are vulnerable to Log Injection, allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by 'pyload'. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. See CVE-2024-21645.


MISC:https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d: https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d
MISC:https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr: https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr

Resources

• https://github.com/pyload/pyload/commit/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d
• https://github.com/pyload/pyload/security/advisories/GHSA-ghmw-rwh8-6qmr
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21645