org.apache.logging.log4j:log4j

Maven2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.logging.log4j:log4jpage 1 of 1

CVE-2017-5645CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.8.2
2017-04-17
vulnerable: 2.0 ... 2.8.1 (17 versions)
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrar…
CVE-2020-9488LOWCVSS 3.7EG 3.7✓ Fixed in 2.3.2
2020-04-27
vulnerable: 2.0 ... 2.3.1 (20 versions)
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed i…

Check whether org.apache.logging.log4j:log4j is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.logging.log4j:log4j CVEs against the assets you own.

Start Free Scan →