CVE-2020-9488 – org.apache.logging.log4j:log4j

Package

Manager: maven
Name: org.apache.logging.log4j:log4j
Vulnerable Version: >=0 <2.13.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00014 pctl0.01717

Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Metadata

Created: 2020-06-05T14:15:51Z
Modified: 2022-03-28T22:26:27Z
Source: MANUAL
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-vwqq-5vrc-xw9h
Finding: F163
Auto approve: 1