Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Log Injection
Vulnerability Description
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths, attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either in real time or from a file).
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
N/A
Vulnerability Title
Encode OSS Uvicorn 注入漏洞
Vulnerability Description
Encode OSS Uvicorn是英国Encode OSS公司的一款基于uvloop和httptools构建的ASGI(Web服务器网关接口)服务器。 Encode OSS uvicorn(所有版本)中存在安全漏洞。攻击者可借助特制的URL利用该漏洞污染uvicorn的访问日志,影响此类文件的完整性。
CVSS Information
N/A
Vulnerability Type
N/A