GHSA-fxph-q3j8-mv87

Suggest an improvement
Source
https://github.com/advisories/GHSA-fxph-q3j8-mv87
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-fxph-q3j8-mv87/GHSA-fxph-q3j8-mv87.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fxph-q3j8-mv87
Aliases
Published
2020-01-06T18:43:38Z
Modified
2024-03-14T05:18:16.050851Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Deserialization of Untrusted Data in Log4j
Details

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References

Affected packages

Maven / org.apache.logging.log4j:log4j

Package

Name
org.apache.logging.log4j:log4j
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.8.2

Affected versions

2.*

2.0
2.0.1
2.0.2
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.4.1
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.8.1

Maven / org.apache.logging.log4j:log4j-core

Package

Name
org.apache.logging.log4j:log4j-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.8.2

Affected versions

2.*

2.0
2.0.1
2.0.2
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.4.1
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.8.1