# CVE Reservation Request <!-- There's help in the Eclipse Foundation Project Handbook https://www.eclipse.org/projects/handbook/#vulnerability-cve Note that this issue is configured (see the quick actions at the bottom) to be created as confidential. Note that a vulnerability does not need to actually be resolved before it is reported and that these reports can be revised as needed (reopen the issue to request changes). If you do not know how to fill certain fields, mark that in the comment and we will help you. You can delete the comments (or not). --> The Eclipse Foundation is a [Common Vulnerabilities and Exposures](https://cve.mitre.org/) (CVE) Numbering Authority. Creating this ticket initiates **reservation** of a CVE ID for the documented vulnerability. The reserved CVE ID will be posted in a comment below, and kept **confidential** until explicit publication request. > [!note] > To request CVE *publication*, please open a [CVE publication](https://gitlab.eclipse.org/security/cve-assignment/-/issues/new?issuable_template=CVE%20Publication%20Request) ticket. Please fill in the fields below to draft the CVE record. --- ## CVE record information **Project name:** Eclipse CSI - PIA **Project id:** technology.csi **Versions affected:** <=0.2.1 **Common Weakness Enumeration (CWE):** CWE-117: Improper Output Neutralization for Logs **Common Vulnerability Scoring System:** {[cvss](https://www.first.org/cvss/calculator/4.0)} CVSS v4.0 Score: 6.9 / Medium CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N <!-- Required (for publication). The summary should start with the name of the project, e.g., "Eclipse Vert.x", then a description of the affected versions, followed by a description of the problem. The summary should be concise. For example, "In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response." --> **Summary:** The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format ("%(asctime)s - %(name)s - %(levelname)s - %(message)s") renders newlines literally, an unauthenticated attacker can forge log records that are byte-for-byte indistinguishable from PIA's genuine "Successfully authenticated project" message. PIA is an authentication broker whose logs are explicitly relied upon for incident response (DESIGN.md §5.4 lists "Token verifications" and "Errors" as events to log), so the ability to plant fake auth-success entries directly undermines the audit trail the service exists to produce. <!-- Required (for publication). Include a link to the issue (e.g., GitHub Security Advisory) that's being used to track/resolve the issue. Other links that provide more information can be provided. For example, you may later publish the link to the fix commit. --> **Links:** - https://github.com/eclipse-csi/pia/security/advisories/GHSA-3g7j-3xgm-85mc <!-- Optional. Add the name or pseudonym of the person who has reported the issue. --> **Credits:** ... <!-- Quick actions will configure the state of the issue. Leave these. --> <!-- Keep this as the last line -->