CVE-2021-45046

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45046.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-45046
Aliases
Downstream
Related
Published
2021-12-14T19:15:07Z
Modified
2025-09-19T13:28:39.139511Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

References

Affected packages

Git / github.com/apache/logging-log4j2

Affected ranges

Type
GIT
Repo
https://github.com/apache/logging-log4j2
Events
Type
GIT
Repo
https://github.com/cvat-ai/cvat
Events

Affected versions

v2.*

v2.13.0
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.15.0