VYPR

rpm package

opensuse/log4j&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/log4j&distro=openSUSE%20Tumbleweed

Vulnerabilities (8)

  • CVE-2026-34481HigApr 10, 2026
    affected < 2.20.0-2.1fixed 2.20.0-2.1

    Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohib

  • CVE-2026-34480HigApr 10, 2026
    affected < 2.20.0-2.1fixed 2.20.0-2.1

    Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene

  • CVE-2026-34479HigApr 10, 2026
    affected < 2.20.0-2.1fixed 2.20.0-2.1

    The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downs

  • CVE-2026-34477MedApr 10, 2026
    affected < 2.20.0-2.1fixed 2.20.0-2.1

    The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName

  • CVE-2025-68161Dec 18, 2025
    affected < 2.20.0-1.1fixed 2.20.0-1.1

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2021-45046KEVDec 14, 2021
    affected < 2.16.0-2.1fixed 2.16.0-2.1

    It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with

  • CVE-2021-4104HigDec 14, 2021
    affected < 2.16.0-2.1fixed 2.16.0-2.1

    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t

  • CVE-2021-44228KEVDec 10, 2021
    affected < 2.13.2-2.1fixed 2.13.2-2.1

    Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messa