CVE-2021-45046

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-45046
Aliases
Related
Published
2021-12-14T19:15:07Z
Modified
2024-06-27T22:04:03.954093Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

References

Affected packages

Git / github.com/apache/logging-log4j2

Affected ranges

Type
GIT
Repo
https://github.com/apache/logging-log4j2
Events
Type
GIT
Repo
https://github.com/opencv/cvat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.2.0

v0.*

v0.3.0
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1

v1.*

v1.0.0
v1.0.0-alpha
v1.0.0-beta.1
v1.0.0-beta.2
v1.1.0
v1.1.0-alpha
v1.1.0-beta
v1.2.0
v1.2.0-beta
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0

v2.*

v2.0.0
v2.0.0-alpha
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2