VulnerableCode Package Details - pkg:maven/org.apache.logging.log4j/log4j-core@2.0-beta7

Search for packages

Vulnerability	Summary	Fixed by
VCID-khr7-6pza-afab Aliases: CVE-2023-26464 GHSA-vp98-w2p3-mv35	Apache Log4j 1.x (EOL) allows Denial of Service (DoS) UNSUPPORTED WHEN ASSIGNED When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.	2.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mz9r-j78c-dfe3 Aliases: CVE-2020-9488 GHSA-vwqq-5vrc-xw9h	Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.	2.3.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.12.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.13.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-r67p-yqg2-9bbq Aliases: CVE-2021-44832 GHSA-8489-44mv-ggj8	Improper Input Validation and Injection in Apache Log4j2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.	2.3.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.12.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.17.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-khr7-6pza-afab
Aliases:
CVE-2023-26464
GHSA-vp98-w2p3-mv35

Apache Log4j 1.x (EOL) allows Denial of Service (DoS) ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

2.0
Affected by 4 other vulnerabilities.

VCID-mz9r-j78c-dfe3
Aliases:
CVE-2020-9488
GHSA-vwqq-5vrc-xw9h

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

2.3.2
Affected by 3 other vulnerabilities.

2.12.3
Affected by 2 other vulnerabilities.

2.13.2
Affected by 2 other vulnerabilities.

VCID-r67p-yqg2-9bbq
Aliases:
CVE-2021-44832
GHSA-8489-44mv-ggj8

Improper Input Validation and Injection in Apache Log4j2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

2.3.2
Affected by 3 other vulnerabilities.

2.12.4
Affected by 1 other vulnerability.

2.17.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:24:02.320730+00:00	GitLab Importer	Affected by	VCID-khr7-6pza-afab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2023-26464.yml	38.4.0
2026-04-16T21:36:54.000706+00:00	GitLab Importer	Affected by	VCID-r67p-yqg2-9bbq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2021-44832.yml	38.4.0
2026-04-16T21:02:51.717758+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2020-9488.yml	38.4.0
2026-04-11T23:42:12.272395+00:00	GitLab Importer	Affected by	VCID-khr7-6pza-afab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2023-26464.yml	38.3.0
2026-04-11T22:50:50.288786+00:00	GitLab Importer	Affected by	VCID-r67p-yqg2-9bbq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2021-44832.yml	38.3.0
2026-04-11T22:14:14.594574+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2020-9488.yml	38.3.0
2026-04-02T23:46:08.139001+00:00	GitLab Importer	Affected by	VCID-khr7-6pza-afab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2023-26464.yml	38.1.0
2026-04-02T23:00:13.584349+00:00	GitLab Importer	Affected by	VCID-r67p-yqg2-9bbq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2021-44832.yml	38.1.0
2026-04-02T22:26:35.541611+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2020-9488.yml	38.1.0
2026-04-01T18:09:18.585428+00:00	GitLab Importer	Affected by	VCID-khr7-6pza-afab	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2023-26464.yml	38.0.0
2026-04-01T16:44:31.167130+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2020-9488.yml	38.0.0
2026-04-01T15:59:12.411582+00:00	GHSA Importer	Affected by	VCID-r67p-yqg2-9bbq	https://github.com/advisories/GHSA-8489-44mv-ggj8	38.0.0
2026-04-01T12:49:12.894329+00:00	GitLab Importer	Affected by	VCID-r67p-yqg2-9bbq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j-core/CVE-2021-44832.yml	38.0.0