GHSA-p6xc-xr62-6r2g

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6xc-xr62-6r2g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-p6xc-xr62-6r2g/GHSA-p6xc-xr62-6r2g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p6xc-xr62-6r2g
Aliases
Published
2021-12-18T18:00:07Z
Modified
2024-02-14T05:31:41.894627Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS Calculator
Summary
Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion
Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Affected packages

Only the org.apache.logging.log4j:log4j-core package is directly affected by this vulnerability. The org.apache.logging.log4j:log4j-api should be kept at the same version as the org.apache.logging.log4j:log4j-core package to ensure compatability if in use.

References

Affected packages

Maven / org.apache.logging.log4j:log4j-core

Package

Name
org.apache.logging.log4j:log4j-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.12.3

Affected versions

2.*

2.4
2.4.1
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.8.1
2.8.2
2.9.0
2.9.1
2.10.0
2.11.0
2.11.1
2.11.2
2.12.0
2.12.1
2.12.2

Maven / org.apache.logging.log4j:log4j-core

Package

Name
org.apache.logging.log4j:log4j-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.13.0
Fixed
2.17.0

Affected versions

2.*

2.13.0
2.13.1
2.13.2
2.13.3
2.14.0
2.14.1
2.15.0
2.16.0

Maven / org.apache.logging.log4j:log4j-core

Package

Name
org.apache.logging.log4j:log4j-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1

Affected versions

2.*

2.0-alpha1
2.0-alpha2
2.0-beta1
2.0-beta2
2.0-beta3
2.0-beta4
2.0-beta5
2.0-beta6
2.0-beta7
2.0-beta8
2.0-beta9
2.0-rc1
2.0-rc2
2.0
2.0.1
2.0.2
2.1
2.2
2.3