GHSA-2cwj-8chv-9pp9

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-2cwj-8chv-9pp9/GHSA-2cwj-8chv-9pp9.json
Aliases
Published
2021-01-29T19:47:23Z
Modified
2022-09-22T03:47:43.032330Z
Details

Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

References

Affected packages

NuGet / log4net

log4net

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
2.0.10

Affected versions

1.*

1.2.10
1.2.11

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9