CVE-2021-45105 – org.ops4j.pax.logging:pax-logging-log4j2

Package

Manager: maven
Name: org.ops4j.pax.logging:pax-logging-log4j2
Vulnerable Version: >=1.8.0 <1.9.2 || >=1.10.0 <1.10.9 || >=1.11.0 <1.11.12 || >=2.0.0 <2.0.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.72106 pctl0.98699

Details

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.

Metadata

Created: 2021-12-18T18:00:07Z
Modified: 2025-05-09T12:31:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-p6xc-xr62-6r2g/GHSA-p6xc-xr62-6r2g.json
CWE IDs: ["CWE-20", "CWE-674"]
Alternative ID: GHSA-p6xc-xr62-6r2g
Finding: F184
Auto approve: 1