CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a…

low3.7CVSS 3.1

AVNACHPRNUINSUCLINAN

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Affected

105 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	apache_log4j	—	—
apache	apache_log4j	>= log4j-core < 2.12.3	2.12.3
apache	log4j	>= 2.0 < 2.3.2	2.3.2
apache	log4j	>= 2.13.0 < 2.13.2	2.13.2
apache	log4j	>= 2.4 < 2.12.3	2.12.3
apache	logging	—	—
debian	apache-log4j2	< apache-log4j2 2.13.3-1 (bookworm)	apache-log4j2 2.13.3-1 (bookworm)
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
oracle	communications_application_session_controller	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_eagle_ftp_table_base_retrieval	—	—
oracle	communications_offline_mediation_controller	—	—
oracle	communications_services_gatekeeper	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	data_integrator	—	—
oracle	data_integrator	—	—
oracle	enterprise_manager_for_peoplesoft	—	—
oracle	financial_services_analytical_applications_infrastructure	8.0.6.0.0 – 8.1.0.0.0	—
oracle	financial_services_institutional_performance_analytics	—	—
oracle	financial_services_institutional_performance_analytics	—	—
oracle	financial_services_institutional_performance_analytics	—	—

CVSS provenance

nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

osv3.7LOW