Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-698m-2hju-2qcv
|
Deserialization of Untrusted Data
JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide `TopicBindingName` and `TopicConnectionFactoryBindingName` configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in August Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
|
CVE-2021-4104
GHSA-fp5r-v3w9-4333
|
|
VCID-8977-tjss-w7ba
|
Incomplete fix for Apache Log4j vulnerability
The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.
|
CVE-2021-45046
GHSA-7rjr-3q55-vv33
|