VulnerableCode Package Details - pkg:maven/org.apache.logging.log4j/log4j@2.4.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-74dr-6hxt-tbgu Aliases: CVE-2017-5645 GHSA-fxph-q3j8-mv87	In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.	2.8.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8977-tjss-w7ba Aliases: CVE-2021-45046 GHSA-7rjr-3q55-vv33	Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.	2.12.3 Affected by 0 other vulnerabilities. 2.17.0 Affected by 0 other vulnerabilities.
VCID-jwav-88m7-6fhz Aliases: CVE-2021-44228 GHSA-jfh8-c2jp-5v3q	Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.	2.12.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.15.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-mz9r-j78c-dfe3 Aliases: CVE-2020-9488 GHSA-vwqq-5vrc-xw9h	Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.	2.12.3 Affected by 0 other vulnerabilities. 2.13.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-74dr-6hxt-tbgu
Aliases:
CVE-2017-5645
GHSA-fxph-q3j8-mv87

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

2.8.2
Affected by 3 other vulnerabilities.

VCID-8977-tjss-w7ba
Aliases:
CVE-2021-45046
GHSA-7rjr-3q55-vv33

Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.

2.12.3
Affected by 0 other vulnerabilities.

2.17.0
Affected by 0 other vulnerabilities.

VCID-jwav-88m7-6fhz
Aliases:
CVE-2021-44228
GHSA-jfh8-c2jp-5v3q

Remote code injection in Log4j Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. As per [Apache's Log4j security guide](https://logging.apache.org/log4j/2.x/security.html): Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.16.0, this behavior has been disabled by default. Log4j version 2.15.0 contained an earlier fix for the vulnerability, but that patch did not disable attacker-controlled JNDI lookups in all situations. For more information, see the `Updated advice for version 2.16.0` section of this advisory.

2.12.2
Affected by 2 other vulnerabilities.

2.15.0
Affected by 1 other vulnerability.

VCID-mz9r-j78c-dfe3
Aliases:
CVE-2020-9488
GHSA-vwqq-5vrc-xw9h

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

2.12.3
Affected by 0 other vulnerabilities.

2.13.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:36:27.004179+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.4.0
2026-04-16T21:36:20.814544+00:00	GitLab Importer	Affected by	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.4.0
2026-04-16T21:02:51.259564+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.4.0
2026-04-16T20:36:40.183484+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.4.0
2026-04-11T22:50:08.668647+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.3.0
2026-04-11T22:50:02.054671+00:00	GitLab Importer	Affected by	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.3.0
2026-04-11T22:14:14.113889+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.3.0
2026-04-11T21:47:13.200943+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.3.0
2026-04-02T22:59:33.138281+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.1.0
2026-04-02T22:59:27.247567+00:00	GitLab Importer	Affected by	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.1.0
2026-04-02T22:26:35.066916+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.1.0
2026-04-02T22:01:12.564927+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.1.0
2026-04-01T17:18:16.823119+00:00	GitLab Importer	Affected by	VCID-8977-tjss-w7ba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-45046.yml	38.0.0
2026-04-01T17:18:09.954032+00:00	GitLab Importer	Affected by	VCID-jwav-88m7-6fhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2021-44228.yml	38.0.0
2026-04-01T16:44:30.644993+00:00	GitLab Importer	Affected by	VCID-mz9r-j78c-dfe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2020-9488.yml	38.0.0
2026-04-01T12:47:12.888353+00:00	GitLab Importer	Affected by	VCID-74dr-6hxt-tbgu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.logging.log4j/log4j/CVE-2017-5645.yml	38.0.0