Path to dependency file: /tmp/ws-scm/sht21/sht21-backend/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.7/a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a/log4j-core-2.7.jar
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2017-5645 - High Severity Vulnerability
The Apache Log4j Implementation
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Path to dependency file: /tmp/ws-scm/sht21/sht21-backend/build.gradle
Path to vulnerable library: le/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.7/a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a/log4j-core-2.7.jar
Dependency Hierarchy: - :x: **log4j-core-2.7.jar** (Vulnerable Library)
Found in HEAD commit: 4057e364d8f0e9a2d440890a01e74a338ec8ffbd
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Publish Date: 2017-04-17
URL: CVE-2017-5645
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5645
Release Date: 2017-04-17
Fix Resolution: 2.8.2
Step up your Open Source Security Game with WhiteSource here