Improper neutralization of special elements in output used by a downstream component in Apache Geode - CVE-2021-34797

 

Improper neutralization of special elements in output used by a downstream component in Apache Geode - CVE-2021-34797

Published: January 4, 2022


Vulnerability identifier: #VU59173
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-34797
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Geode

Detailed vulnerability description

The vulnerability allows a remote user to alter log files.

The vulnerability exists due to improper input validation when parsing values that begin with characters other than letters or numbers for passwords and security properties with the prefix "sysprop-", "javax.net.ssl", or "security-". A remote user can inject specially crafted characters into log files and alter them, hiding initial information.


How to mitigate CVE-2021-34797

Install updates from vendor's website.

Sources