GHSA-94g7-hpv8-h9qm – com.splunk.logging:splunk-library-javalogging

Package

Manager: maven
Name: com.splunk.logging:splunk-library-javalogging
Vulnerable Version: >=1.7.0 <1.11.1 || >=0 <1.6.2-0-0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Remote code injection in Log4j ### Impact Logging untrusted or user controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data included in logged errors such as exception traces, authentication failures, and other unexpected vectors of user controlled input. More Details: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q ### Patches Version 1.11.1 of the Splunk Logging for Java library. There is also a backport to version 1.6.2 released as a patch: 1.6.2-0-0. ### Workarounds If upgrading is not possible, then ensure the -Dlog4j2.formatMsgNoLookups=true system property is set on both client- and server-side components. ### References https://github.com/advisories/GHSA-jfh8-c2jp-5v3q ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/splunk/splunk-library-javalogging/issues * Email us at [devinfo@splunk.com](mailto:devinfo@splunk.com)

Metadata

Created: 2021-12-14T21:46:35Z
Modified: 2025-08-07T14:10:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-94g7-hpv8-h9qm/GHSA-94g7-hpv8-h9qm.json
CWE IDs: []
Alternative ID: N/A
Finding: F422
Auto approve: 1