CVE-2021-44832

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-44832
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44832.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-44832
Aliases
Related
Published
2021-12-28T20:15:08Z
Modified
2024-09-18T03:13:44.183047Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

References

Affected packages

Debian:11 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.17.1-1~deb11u1

Affected versions

2.*

2.13.3-1
2.15.0-1~deb10u1
2.15.0-1~deb11u1
2.15.0-1
2.16.0-1~deb10u1
2.16.0-1~deb11u1
2.16.0-1
2.17.0-1~deb10u1
2.17.0-1~deb11u1
2.17.0-1
2.17.1-1~deb10u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.17.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / apache-log4j2

Package

Name
apache-log4j2
Purl
pkg:deb/debian/apache-log4j2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.17.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/logging-log4j2

Affected ranges

Type
GIT
Repo
https://github.com/apache/logging-log4j2
Events
Introduced
6b788facd3479dfe9052b3a5e13f6603dce8c16f
Fixed
dfc35cfb8bdbda7043439ac7027edfa2d400b5c2