This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 52a159e Fix typo
52a159e is described below
commit 52a159e90e0e818f72461c4b2e62c0663eec67e3
Author: Ralph Goers <rgo...@apache.org>
AuthorDate: Mon Jan 17 13:41:52 2022 -0700
Fix typo
---
log4j-1.2.17/index.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/log4j-1.2.17/index.html b/log4j-1.2.17/index.html
index 1dcf5cd..aa98382 100644
--- a/log4j-1.2.17/index.html
+++ b/log4j-1.2.17/index.html
@@ -159,8 +159,8 @@
<p><a
href="https://www.cvedetails.com/cve/CVE-2019-17571/";>CVE-2019-17571</a> is a
high severity issue targeting the SocketServer. Log4j includes a SocketServer
that accepts serialized log events and deserializes them without verifying
whether the objects are allowed or not.
This can provide an attack vector that can be expoited.</p>
<p><a
href="https://www.cvedetails.com/cve/CVE-2020-9488/";>CVE-2020-9488</a> is a
moderate severity issue with the SMTPAppender. Improper validation of
certificate with host mismatch in Apache Log4j SMTP appender. This could allow
an SMTPS connection to be intercepted by a man-in-the-middle attack which could
leak any log messages sent through that appender.</p>
- <p><a
href="https://www.cvedetails.com/cve/CVE-2021-4104/";>CVE-2021-4104</a> is a
high severity deserialization vulnerability in JMSAppender. JMSAppender uses
JNDI in an unprotected manner allowing any application using the JMSAppender to
be vulnerable if it is configured to reference an untrusted site or if the site
referenced can be accesseed by the attacker. For example, he attacker can cause
remote code execution by manipulating the data in the LDAP store.</p>
- <p><a
href="https://www.cvedetails.com/cve/CVE-2022-23302/";>CVE-2022-23302</a> is a
high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an
unprotected manner allowing any application using the JMSSink to be vulnerable
if it is configured to reference an untrusted site or if the site referenced
can be accesseed by the attacker. For example, he attacker can cause remote
code execution by manipulating the data in the LDAP store.</p>
+ <p><a
href="https://www.cvedetails.com/cve/CVE-2021-4104/";>CVE-2021-4104</a> is a
high severity deserialization vulnerability in JMSAppender. JMSAppender uses
JNDI in an unprotected manner allowing any application using the JMSAppender to
be vulnerable if it is configured to reference an untrusted site or if the site
referenced can be accesseed by the attacker. For example, the attacker can
cause remote code execution by manipulating the data in the LDAP store.</p>
+ <p><a
href="https://www.cvedetails.com/cve/CVE-2022-23302/";>CVE-2022-23302</a> is a
high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an
unprotected manner allowing any application using the JMSSink to be vulnerable
if it is configured to reference an untrusted site or if the site referenced
can be accesseed by the attacker. For example, the attacker can cause remote
code execution by manipulating the data in the LDAP store.</p>
<p><a
href="https://www.cvedetails.com/cve/CVE-2022-23305/";>CVE-2022-23305</a> is a
high serverity SQL injection flaw in JDBCAppender that allows the data being
logged to modify the behavior of the component. By design, the JDBCAppender in
Log4j 1.2.x accepts an SQL statement as a configuration parameter where the
values to be inserted are converters from PatternLayout. The message converter,
%m, is likely to always be included. This allows attackers to manipulate the
SQL [...]
<p><a
href="https://www.cvedetails.com/cve/CVE-2022-23307/";>CVE-2022-23307</a> is a
critical severity against the chainsaw component in Log4j 1.x. This is the same
issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was
included as part of Log4j 1.2.x.</p>
<h2>Java Version Incompatibilities</h2>
