CVE-2017-5645 – org.apache.logging.log4j:log4j-core

Package

Manager: maven
Name: org.apache.logging.log4j:log4j-core
Vulnerable Version: >=2.0 <2.8.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94013 pctl0.99887

Details

Deserialization of Untrusted Data in Log4j In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Metadata

Created: 2020-01-06T18:43:38Z
Modified: 2022-04-01T20:26:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-fxph-q3j8-mv87/GHSA-fxph-q3j8-mv87.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-fxph-q3j8-mv87
Finding: F096
Auto approve: 1