CVE-2024-21645: 
Python vulnerability analysis and mitigation

A log injection vulnerability (CVE-2024-21645) was identified in pyLoad, a free and open-source Download Manager written in Python. The vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyLoad. This security issue was discovered in versions prior to 0.5.0b3.dev77 and has been assigned a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory).

The vulnerability occurs when pyLoad generates log entries during failed login attempts. While the application logs failed login attempts in the format 'Login failed for user 'USERNAME'', it fails to properly escape newline characters in the username input. Since newlines are used as delimiters between log entries, this allows attackers to inject arbitrary log entries. The vulnerability has been classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) (NVD).

The primary impact of this vulnerability is the ability to forge or corrupt log files. Attackers can use this capability to cover their tracks or potentially implicate other parties in malicious activities by injecting false log entries. The CVSS metrics indicate no impact on confidentiality or availability, but a low impact on integrity (GitHub Advisory).

The vulnerability has been patched in pyLoad version 0.5.0b3.dev77. The fix involves properly sanitizing username input by escaping newline characters before logging. Users are advised to upgrade to this version or later to address the vulnerability (GitHub Patch).