GHSA-vwqq-5vrc-xw9h

Source

https://github.com/advisories/GHSA-vwqq-5vrc-xw9h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vwqq-5vrc-xw9h/GHSA-vwqq-5vrc-xw9h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vwqq-5vrc-xw9h

Aliases

CVE-2020-9488

Published

2020-06-05T14:15:51Z

Modified

2024-03-13T05:32:08.046905Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender

Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Database specific

{
    "nvd_published_at": "2020-04-27T16:15:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-04T19:29:20Z"
}

References

Affected packages

Maven / org.apache.logging.log4j:log4j

Package

Name: org.apache.logging.log4j:log4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.13.0

Fixed

2.13.2

Affected versions

2.*

2.13.0

2.13.1

Maven / org.apache.logging.log4j:log4j-core

Package

Name: org.apache.logging.log4j:log4j-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.13.0

Fixed

2.13.2

Affected versions

2.*

2.13.0

2.13.1

Maven / org.apache.logging.log4j:log4j

Package

Name: org.apache.logging.log4j:log4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.12.3

Affected versions

2.*

2.4

2.4.1

2.5

2.6

2.6.1

2.6.2

2.7

2.8

2.8.1

2.8.2

2.9.0

2.9.1

2.10.0

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.12.2

Maven / org.apache.logging.log4j:log4j

Package

Name: org.apache.logging.log4j:log4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.2

Affected versions

2.*

2.0-alpha1

2.0-alpha2

2.0-beta1

2.0-beta2

2.0-beta3

2.0-beta4

2.0-beta5

2.0-beta6

2.0-beta7

2.0-beta8

2.0-beta9

2.0-rc1

2.0-rc2

2.0

2.0.1

2.0.2

2.1

2.2

2.3

2.3.1

Maven / org.apache.logging.log4j:log4j-core

Package

Name: org.apache.logging.log4j:log4j-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.12.3

Affected versions

2.*

2.4

2.4.1

2.5

2.6

2.6.1

2.6.2

2.7

2.8

2.8.1

2.8.2

2.9.0

2.9.1

2.10.0

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.12.2

Maven / org.apache.logging.log4j:log4j-core

Package

Name: org.apache.logging.log4j:log4j-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.logging.log4j/log4j-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.2

Affected versions

2.*

2.0-alpha1

2.0-alpha2

2.0-beta1

2.0-beta2

2.0-beta3

2.0-beta4

2.0-beta5

2.0-beta6

2.0-beta7

2.0-beta8

2.0-beta9

2.0-rc1

2.0-rc2

2.0

2.0.1

2.0.2

2.1

2.2

2.3

2.3.1