Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
{ "availability": "No subscription required", "binaries": [ { "binary_version": "1.2.10+dfsg-7ubuntu0.16.04.1", "binary_name": "liblog4net-cil-dev" }, { "binary_version": "1.2.10+dfsg-7ubuntu0.16.04.1", "binary_name": "liblog4net1.2-cil" } ] }
{ "availability": "No subscription required", "binaries": [ { "binary_version": "1.2.10+dfsg-7ubuntu0.18.04.1", "binary_name": "liblog4net-cil-dev" }, { "binary_version": "1.2.10+dfsg-7ubuntu0.18.04.1", "binary_name": "liblog4net1.2-cil" } ] }
{ "availability": "No subscription required", "binaries": [ { "binary_version": "1.2.10+dfsg-7ubuntu0.20.04.1", "binary_name": "liblog4net-cil-dev" }, { "binary_version": "1.2.10+dfsg-7ubuntu0.20.04.1", "binary_name": "liblog4net1.2-cil" } ] }