admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#3858

Browse Source 
Auto-merge PR#3858
This commit is contained in:
CVE Team 2021-12-28 11:35:11 -05:00 committed by GitHub
commit d6095870fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 46 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
2021/44xxx/CVE-2021-44228.json
View File

@ -9,42 +9,48 @@
"vendor": {
"vendor_data": [
{
"vendor_name": "Apache Software Foundation",
"product": {
"product_data": [
{
"product_name": "Apache Log4j",
"product_name": "Apache Log4j2",
"version": {
"version_data": [
{
"version_name": "Apache Log4j 2",
"version_affected": ">=",
"version_value": "2.0-beta9",
"platform": ""
"version_name": "log4j-core",
"version_value": "2.0-beta9"
},
{
"version_name": "Apache Log4j 2",
"version_affected": "<=",
"version_value": "2.12.1",
"platform": ""
"version_affected": "<",
"version_name": "log4j-core",
"version_value": "2.3.1"
},
{
"version_name": "Apache Log4j 2",
"version_affected": ">=",
"version_value": "2.13.0",
"platform": ""
"version_name": "log4j-core",
"version_value": "2.4"
},
{
"version_name": "Apache Log4j 2",
"version_affected": "<=",
"version_value": "2.14.1",
"platform": ""
"version_affected": "<",
"version_name": "log4j-core",
"version_value": "2.12.2"
},
{
"version_affected": ">=",
"version_name": "log4j-core",
"version_value": "2.13.0"
},
{
"version_affected": "<",
"version_name": "log4j-core",
"version_value": "2.15.0"
}
]
}
}
]
}
},
"vendor_name": "Apache Software Foundation"
}
]
}
@ -62,7 +68,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects."
"value": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.\n\nNote that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.\n\n\n"
}
]
},
@ -314,4 +320,4 @@
"source": {
"discovery": "UNKNOWN"
}
}
}

32
2021/45xxx/CVE-2021-45105.json
View File

@ -12,27 +12,37 @@
"product": {
"product_data": [
{
"product_name": "Apache Log4j 2",
"product_name": "Apache Log4j2",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "Apache Log4j",
"version_value": "2.16.0"
"version_affected": "<",
"version_name": "log4j-core",
"version_value": "2.17.0"
},
{
"version_affected": ">",
"version_name": "Apache Log4j",
"version_value": "2.12.3"
"version_affected": ">=",
"version_name": "log4j-core",
"version_value": "2.13.0"
},
{
"version_affected": "<",
"version_name": "Apache Log4j",
"version_name": "log4j-core",
"version_value": "2.12.3"
},
{
"version_affected": ">=",
"version_name": "Apache Log4j",
"version_name": "log4j-core",
"version_value": "2.4"
},
{
"version_affected": "<",
"version_name": "log4j-core",
"version_value": "2.3.1"
},
{
"version_affected": ">=",
"version_name": "log4j-core",
"version_value": "2.0-alpha1"
}
]
@ -58,7 +68,7 @@
"description_data": [
{
"lang": "eng",
"value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3."
"value": "Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1."
}
]
},
@ -171,4 +181,4 @@
"value": "Implement one of the following mitigation techniques:\n\n* Java 8 (or later) users should upgrade to release 2.17.0.\n\nAlternatively, this can be mitigated in configuration:\n\n* In PatternLayout in the logging configuration, replace Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` with Thread Context Map patterns (%X, %mdc, or %MDC).\n* Otherwise, in the configuration, remove references to Context Lookups like `${ctx:loginId}` or `$${ctx:loginId}` where they originate \nfrom sources external to the application such as HTTP headers or user input."
}
]
}
}