GHSA-fxph-q3j8-mv87

Source
https://github.com/advisories/GHSA-fxph-q3j8-mv87
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-fxph-q3j8-mv87/GHSA-fxph-q3j8-mv87.json
Aliases
Published
2020-01-06T18:43:38Z
Modified
2024-03-14T05:19:26.806656Z
Details

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

References

Affected packages

Maven / org.apache.logging.log4j:log4j

Package

Name
org.apache.logging.log4j:log4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.8.2

Affected versions

2.*

2.0
2.0.1
2.0.2
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.4.1
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.8.1

Maven / org.apache.logging.log4j:log4j-core

Package

Name
org.apache.logging.log4j:log4j-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.8.2

Affected versions

2.*

2.0
2.0.1
2.0.2
2.1
2.2
2.3
2.3.1
2.3.2
2.4
2.4.1
2.5
2.6
2.6.1
2.6.2
2.7
2.8
2.8.1