Search for packages
| purl | pkg:maven/org.ops4j.pax.logging/pax-logging-log4j2@2.0.12 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-r67p-yqg2-9bbq
Aliases: CVE-2021-44832 GHSA-8489-44mv-ggj8 |
Improper Input Validation and Injection in Apache Log4j2 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. |
Affected by 0 other vulnerabilities. |
|
VCID-sjuz-dd96-sqe3
Aliases: CVE-2021-45105 GHSA-p6xc-xr62-6r2g |
Uncontrolled Recursion This advisory has been marked as a false positive. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8977-tjss-w7ba | Incomplete fix for Apache Log4j vulnerability The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. |
CVE-2021-45046
GHSA-7rjr-3q55-vv33 |