rpm package
opensuse/log4cxx&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/log4cxx&distro=openSUSE%20Tumbleweed
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40023 | Med | 5.3 | < 1.7.0-2.1 | 1.7.0-2.1 | Apr 10, 2026 | Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property | |
| CVE-2025-54812 | — | < 1.5.0-1.1 | 1.5.0-1.1 | Aug 22, 2025 | Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Ja | ||
| CVE-2023-31038 | — | < 1.1.0-1.1 | 1.1.0-1.1 | May 8, 2023 | SQL injection in Log4cxx when using the ODBC appender to send log messages to a database. No fields sent to the database were properly escaped for SQL injection. This has been the case since at least version 0.9.0(released 2003-08-06) Note that Log4cxx is a C++ framework, s |
- affected < 1.7.0-2.1fixed 1.7.0-2.1
Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property
- CVE-2025-54812Aug 22, 2025affected < 1.5.0-1.1fixed 1.5.0-1.1
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Ja
- CVE-2023-31038May 8, 2023affected < 1.1.0-1.1fixed 1.1.0-1.1
SQL injection in Log4cxx when using the ODBC appender to send log messages to a database. No fields sent to the database were properly escaped for SQL injection. This has been the case since at least version 0.9.0(released 2003-08-06) Note that Log4cxx is a C++ framework, s