CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

References

Affected packages

Git / github.com/apache/logging-log4j2

Affected ranges

Type: GIT
Repo: https://github.com/apache/logging-log4j2
Events: Introduced

383a8194acab4a740d22b69c023ca3af6cb9c664

Fixed

2b9359b2373d773c5db7427d6dab369ba1852d3f

Introduced

8d9204a4b4c6016fa6b36513a46502689d6a45c1

Fixed

38513a7d57343881f7bf58f37e67d6a87e0a47c5

Affected versions

log4j-2.*

log4j-2.10-rc1

log4j-2.10.0

log4j-2.11.0

log4j-2.11.0-rc1

log4j-2.11.1

log4j-2.11.1-rc1

log4j-2.11.2

log4j-2.11.2-rc1

log4j-2.11.2-rc2

log4j-2.11.2-rc3

log4j-2.12.0

log4j-2.12.0-rc1

log4j-2.12.0-rc2

log4j-2.12.1

log4j-2.12.1-rc1

log4j-2.12.2-rc1

log4j-2.4

log4j-2.4.1

log4j-2.5

log4j-2.5-rc1

log4j-2.6

log4j-2.6-rc1

log4j-2.6.1

log4j-2.6.1-rc1

log4j-2.6.2

log4j-2.6.2-rc1

log4j-2.7

log4j-2.7-rc1

log4j-2.7-rc2

log4j-2.8

log4j-2.8-rc1

log4j-2.8.1

log4j-2.8.1-rc1

log4j-2.8.2

log4j-2.8.2-rc1

log4j-2.9-rc1

log4j-2.9.0

log4j-2.9.1-rc1

rel/2.*

rel/2.10.0

rel/2.11.0

rel/2.11.1

rel/2.11.2

rel/2.12.0

rel/2.12.1

rel/2.12.2

rel/2.4

rel/2.4.1

rel/2.5

rel/2.6

rel/2.6.1

rel/2.6.2

rel/2.7

rel/2.8

rel/2.8.1

rel/2.8.2

rel/2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45105.json"