CVE-2018-1285
published 2020-05-11CVE-2018-1285: Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | log4net | < 2.0.10 | 2.0.10 |
| apache | log4net | >= 0 < 1.2.10+dfsg-8 | 1.2.10+dfsg-8 |
| apache | log4net | >= 0 < 1.2.10+dfsg-8 | 1.2.10+dfsg-8 |
| apache | log4net | >= 0 < 2.0.10 | 2.0.10 |
| debian | log4net | < log4net 1.2.10+dfsg-8 (bullseye) | log4net 1.2.10+dfsg-8 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oracle | application_testing_suite | — | — |
| oracle | hospitality_opera_5 | — | — |
| oracle | hospitality_opera_5 | — | — |
| oracle | hospitality_simphony | — | — |
| oracle | hospitality_simphony | — | — |
| quest | kace_desktop_authority | >= 10.0 < 11.2 | 11.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL