[DepShield] (CVSS 9.8) Vulnerability due to usage of log4j:log4j:1.2.17

[sonatype-depshield[bot]]

Vulnerabilities

DepShield reports that this application's usage of log4j:log4j:1.2.17 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat...
• (CVSS 3.7) [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...

---

Occurrences

log4j:log4j:1.2.17 is a transitive dependency introduced by the following direct dependency(s):

• org.slf4j:slf4j-log4j12:1.7.30         └─ log4j:log4j:1.2.17

• com.khubla.pragmatach:pragmatach-jcr:1.41.0-SNAPSHOT         └─ org.slf4j:slf4j-log4j12:1.7.30               └─ log4j:log4j:1.2.17

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

[sonatype-depshield[bot]]

DepShield reports that the following additional vulnerability(s) have been discovered for log4j:log4j:1.2.17:

• (CVSS 9.0) [CVE-2021-44228] Remote Code Execution
• (CVSS 8.1) [CVE-2021-4104] JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when...

[sonatype-depshield[bot]]

DepShield reports that the following additional vulnerability(s) have been discovered for log4j:log4j:1.2.17:

• (CVSS 9.8) [CVE-2022-23305] By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configu...
• (CVSS 8.8) [CVE-2022-23307] CVE-2020-9493 identified a deserialization issue that was present in Apache Chai...
• (CVSS 8.8) [CVE-2022-23302] JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrust...