apache/log4net: The latest CVE Vulnerabilities and Exploits for Penetration Test
apache/log4net Vulnerability Summary
- Vendor name: apache
- Product name: log4net
- Total vulnerabilities: 2 (as 2023-05-04)
apache/log4net Vulnerability List
CVE-2018-1285: Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net…
Published: 2020-05-11T17:15:00 Last Modified: 2021-09-21T17:10:00
Summary
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Common Weakness Enumeration (CWE): CWE-611: Improper Restriction of XML External Entity Reference
CWE Description: The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Scores
- Impact Score: 6.4
- Exploitability Score: 10.0
- CVSS: 7.5
- CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Impact
- Availability: PARTIAL
- Confidentiality: PARTIAL
- Integrity: PARTIAL
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2018-1285 vulnerability.
References
- https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/
- https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9@%3Cdev.logging.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/
- https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866@%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f@%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a@%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d@%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732@%3Cdev.logging.apache.org%3E
- https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872@%3Cdev.logging.apache.org%3E
- https://issues.apache.org/jira/browse/LOG4NET-575
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3@%3Cdev.logging.apache.org%3E
See also: All popular products CVE Vulnerabilities of apache
CVE-2006-0743: Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote…
Published: 2006-03-09T20:02:00 Last Modified: 2017-07-20T01:30:00
Summary
Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors.
Common Weakness Enumeration (CWE): CWE-134: Use of Externally-Controlled Format String
CWE Description: The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
Scores
- Impact Score: 2.9
- Exploitability Score: 10.0
- CVSS: 5.0
- CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Impact
- Availability: PARTIAL
- Confidentiality: NONE
- Integrity: NONE
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2006-0743 vulnerability.
References
- http://issues.apache.org/jira/browse/LOG4NET-67
- http://www.securityfocus.com/bid/17095
- http://secunia.com/advisories/19241
- http://www.osvdb.org/23905
- http://www.novell.com/linux/security/advisories/2006_26_sr.html
- http://secunia.com/advisories/22932
- http://www.vupen.com/english/advisories/2006/0955
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25196
See also: All popular products CVE Vulnerabilities of apache