Maven package
org.apache.logging.log4j/log4j
pkg:maven/org.apache.logging.log4j/log4j
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-9488 | — | >= 2.13.0, < 2.13.2 | 2.13.2 | Apr 27, 2020 | Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1 | ||
| CVE-2017-5645 | Cri | 9.8 | >= 2.0, < 2.8.2 | 2.8.2 | Apr 17, 2017 | In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. |
- CVE-2020-9488Apr 27, 2020affected >= 2.13.0, < 2.13.2fixed 2.13.2
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
- affected >= 2.0, < 2.8.2fixed 2.8.2
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.