Multiple Log forging vulnerabilities

XMLWordPrintable

    • Type: Bug
    • Resolution: Won't Fix
    • Priority: Medium
    • None
    • Affects Version/s: None
    • Component/s: None

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      This is from a source code scan of 4.3 m3.

      -The method doGet() in AbstractAvatarServlet.java writes unvalidated user input to the log on line 63
      -The method logRequestInformation() in AbstractNoOpServlet.java writes unvalidated user input to the log on line 79.
      -The method logRequestInformation() in AbstractNoOpServlet.java writes unvalidated user input to the log on line 78.

      -The method postFilterCallStep() in AccessLogFilter.java writes unvalidated user input to the log on line 298

      -The method detectDirtyActionContext() in ActionCleanupDelayFilter.java writes unvalidated user input to the log on line 111

      -The method doUpload() in AvatarPicker.java writes unvalidated user input to the log on line 150

      -The method redirectToOriginalDestination() in BaseLoginFilter.java writes unvalidated user input to the log on line 273.

      -The method doFilter() in CrowdSecurityFilter.java writes unvalidated user input to the log on line 144.

      -The method login() in DefaultAuthenticator.java writes unvalidated user input to the log on line 90
      -The method login() in DefaultAuthenticator.java writes unvalidated user input to the log on line 119.
      -The method login() in DefaultAuthenticator.java writes unvalidated user input to the log on line 113

      -The method logMessage() in JiraAxisSoapLog.java writes unvalidated user input to the log on line 122.
      -The method logMessage() in JiraAxisSoapLog.java writes unvalidated user input to the log on line 113.

      -The method handleError() in JohnsonFilter.java writes unvalidated user input to the log on line 35
      -The method handleNotSetup() in JohnsonFilter.java writes unvalidated user input to the log on line 43

      -The method write() in Log.java writes unvalidated user input to the log on line 526.

      -The method serveFile() in PluginResourceDownload.java writes unvalidated user input to the log on line 59
      -The method serveFile() in PluginResourceDownload.java writes unvalidated user input to the log on line 66

      -The method doFilter() in RequestCleanupFilter.java writes unvalidated user input to the log on line 102
      -The method doFilter() in RequestCleanupFilter.java writes unvalidated user input to the log on line 91

      -The method injectWorkflow() in RequestComponentManager.java writes unvalidated user input to the log on line 108.
      -The method injectWorkflow() in RequestComponentManager.java writes unvalidated user input to the log on line 164

      -The method doFilter() in SecurityFilter.java writes unvalidated user input to the log on line 176

      -The method setFailureHeader() in TrustedApplicationFilterAuthenticator.java writes unvalidated user input to the log on line 134.

      -The method doFilter() in VerifyTokenFilter.java writes unvalidated user input to the log on line 164

            Assignee:
            Unassigned
            Reporter:
            VitalyA
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: