📂 Vulnerable Library - slf4j-log4j12-1.7.7.jar
SLF4J LOG4J-12 Binding
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/slf4j/slf4j-log4j12/1.7.7/slf4j-log4j12-1.7.7.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2019-17571 |
🟣 Critical |
9.3 |
Not Defined |
43.2% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2020-9493 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-23305 |
🟣 Critical |
9.3 |
Not Defined |
14.1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2022-23302 |
🔴 High |
8.7 |
Not Defined |
< 1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2022-23307 |
🔴 High |
8.7 |
Not Defined |
< 1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2023-26464 |
🔴 High |
8.7 |
Not Defined |
< 1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-4104 |
🔴 High |
7.7 |
High |
73.7% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2020-9488 |
🟠 Medium |
6.3 |
Not Defined |
< 1% |
log4j-1.2.17.jar |
Transitive |
N/A |
❌ |
Reachable |
Details
🟣CVE-2019-17571
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: Dec 20, 2019 04:01 PM
URL: CVE-2019-17571
Threat Assessment
Exploit Maturity:Not Defined
EPSS:43.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: Dec 20, 2019 04:01 PM
Fix Resolution : log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
🟣CVE-2020-9493
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: Jun 16, 2021 07:30 AM
URL: CVE-2020-9493
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: Jun 16, 2021 07:30 AM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🟣CVE-2022-23305
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.apache.log4j.spi.NOPLogger (Extension)
-> ❌ org.apache.log4j.jdbc.JDBCAppender (Vulnerable Component)
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23305
Threat Assessment
Exploit Maturity:Not Defined
EPSS:14.1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.2
🔴CVE-2022-23302
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23302
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2022-23307
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23307
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: qos-ch/reload4j#21
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2023-26464
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.apache.log4j.spi.RootCategory (Extension)
- org.apache.log4j.lf5.LF5Appender (Extension)
- org.apache.log4j.lf5.viewer.LogBrokerMonitor (Extension)
-> ❌ org.apache.log4j.lf5.viewer.LogFactor5ErrorDialog (Vulnerable Component)
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 10, 2023 01:38 PM
URL: CVE-2023-26464
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: Mar 10, 2023 01:38 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.0
🔴CVE-2021-4104
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.apache.log4j.Logger (Extension)
-> ❌ org.apache.log4j.net.JMSAppender (Vulnerable Component)
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Dec 14, 2021 12:00 AM
URL: CVE-2021-4104
Threat Assessment
Exploit Maturity:High
EPSS:73.7%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: Dec 14, 2021 12:00 AM
Fix Resolution : uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
🟠CVE-2020-9488
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
- slf4j-log4j12-1.7.7.jar (Root Library)
- ❌ log4j-1.2.17.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.veracode.verademo.controller.UserController (Application)
- org.apache.log4j.spi.NOPLogger (Extension)
-> ❌ org.apache.log4j.net.SMTPAppender (Vulnerable Component)
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: Apr 27, 2020 03:36 PM
URL: CVE-2020-9488
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vwqq-5vrc-xw9h
Release Date: Apr 27, 2020 03:36 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.3.2,org.apache.logging.log4j:log4j-core:2.12.3,org.apache.logging.log4j:log4j-core:2.13.2,org.apache.logging.log4j:log4j:2.3.2,org.apache.logging.log4j:log4j:2.12.3,org.apache.logging.log4j:log4j:2.13.2
📂 Vulnerable Library - slf4j-log4j12-1.7.7.jar
SLF4J LOG4J-12 Binding
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/slf4j/slf4j-log4j12/1.7.7/slf4j-log4j12-1.7.7.jar
Findings
Details
🟣CVE-2019-17571
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: Dec 20, 2019 04:01 PM
URL: CVE-2019-17571
Threat Assessment
Exploit Maturity:Not Defined
EPSS:43.2%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: Dec 20, 2019 04:01 PM
Fix Resolution : log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
🟣CVE-2020-9493
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: Jun 16, 2021 07:30 AM
URL: CVE-2020-9493
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: Jun 16, 2021 07:30 AM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🟣CVE-2022-23305
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23305
Threat Assessment
Exploit Maturity:Not Defined
EPSS:14.1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.2
🔴CVE-2022-23302
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23302
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2022-23307
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: Jan 18, 2022 03:25 PM
URL: CVE-2022-23307
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: qos-ch/reload4j#21
Release Date: Jan 18, 2022 03:25 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.1
🔴CVE-2023-26464
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: Mar 10, 2023 01:38 PM
URL: CVE-2023-26464
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: Mar 10, 2023 01:38 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.0
🔴CVE-2021-4104
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: Dec 14, 2021 12:00 AM
URL: CVE-2021-4104
Threat Assessment
Exploit Maturity:High
EPSS:73.7%
Score: 7.7
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: Dec 14, 2021 12:00 AM
Fix Resolution : uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
🟠CVE-2020-9488
Vulnerable Library - log4j-1.2.17.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /app/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: Apr 27, 2020 03:36 PM
URL: CVE-2020-9488
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vwqq-5vrc-xw9h
Release Date: Apr 27, 2020 03:36 PM
Fix Resolution : org.apache.logging.log4j:log4j-core:2.3.2,org.apache.logging.log4j:log4j-core:2.12.3,org.apache.logging.log4j:log4j-core:2.13.2,org.apache.logging.log4j:log4j:2.3.2,org.apache.logging.log4j:log4j:2.12.3,org.apache.logging.log4j:log4j:2.13.2