GHSA-fxph-q3j8-mv87

Source

https://github.com/advisories/GHSA-fxph-q3j8-mv87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-fxph-q3j8-mv87/GHSA-fxph-q3j8-mv87.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fxph-q3j8-mv87

Aliases

CVE-2017-5645

Published

2020-01-06T18:43:38Z

Modified

2024-03-14T05:19:26.806656Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in Log4j

Details

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References

Affected packages

Maven / org.apache.logging.log4j:log4j

Package

Name: org.apache.logging.log4j:log4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0

Fixed

2.8.2

Affected versions

2.*

2.0

2.0.1

2.0.2

2.1

2.2

2.3

2.3.1

2.3.2

2.4

2.4.1

2.5

2.6

2.6.1

2.6.2

2.7

2.8

2.8.1

Maven / org.apache.logging.log4j:log4j-core