VulnerableCode Package Details - pkg:maven/org.apache.logging.log4j/log4j@2.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-74dr-6hxt-tbgu Aliases: CVE-2017-5645 GHSA-fxph-q3j8-mv87	In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.	2.8.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mz9r-j78c-dfe3 Aliases: CVE-2020-9488 GHSA-vwqq-5vrc-xw9h	Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.	2.12.3 Affected by 0 other vulnerabilities. 2.13.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-74dr-6hxt-tbgu
Aliases:
CVE-2017-5645
GHSA-fxph-q3j8-mv87

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

2.8.2
Affected by 3 other vulnerabilities.

VCID-mz9r-j78c-dfe3
Aliases:
CVE-2020-9488
GHSA-vwqq-5vrc-xw9h

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

2.12.3
Affected by 0 other vulnerabilities.

2.13.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jwav-88m7-6fhz	Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.	CVE-2021-44228 GHSA-jfh8-c2jp-5v3q
VCID-mz9r-j78c-dfe3	Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.	CVE-2020-9488 GHSA-vwqq-5vrc-xw9h

Vulnerability

Summary

Aliases

VCID-jwav-88m7-6fhz

Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.

CVE-2021-44228
GHSA-jfh8-c2jp-5v3q

VCID-mz9r-j78c-dfe3

CVE-2020-9488
GHSA-vwqq-5vrc-xw9h

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:36:20.800826+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.4.0
2026-04-16T21:02:51.253207+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.4.0
2026-04-16T20:36:40.177149+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.4.0
2026-04-11T22:50:02.036636+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.3.0
2026-04-11T22:14:14.106257+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.3.0
2026-04-11T21:47:13.193440+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.3.0
2026-04-02T22:59:27.233478+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.1.0
2026-04-02T22:26:35.060341+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.1.0
2026-04-02T22:01:12.558101+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.1.0
2026-04-01T16:44:30.636485+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.0.0
2026-04-01T16:18:23.069585+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.0.0
2026-04-01T15:58:11.366050+00:00	GHSA Importer	Fixing	VCID-mz9r-j78c-dfe3	https://github.com/advisories/GHSA-vwqq-5vrc-xw9h	38.0.0
2026-04-01T13:00:24.057613+00:00	GithubOSV Importer	Fixing	VCID-mz9r-j78c-dfe3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json	38.0.0
2026-04-01T12:49:09.844598+00:00	GitLab Importer	Fixing	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.0.0