A flaw was found in the rubygem-rack package. When a user provides the authorization credentials via Rack::Auth::Basic, if successful, the username is placed in env['REMOTE_USER'] and later used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username containing CRLF and white space characters or the server logs every login attempt. If an attacker enters a username with a CRLF character, the logger will log the malicious username with CRLF characters into the logfile. This flaw allows attackers to break log formats or insert fraudulent entries, potentially obscuring activity or injecting malicious data into log files.