CVE-2021-45105
published 2021-12-18CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This…
medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Affected
232 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | log4j | >= 2.0 < 2.3.1 | 2.3.1 |
| apache | log4j | 2.13.0 – 2.16.0 | — |
| apache | log4j | >= 2.4 < 2.12.3 | 2.12.3 |
| apache | logging | — | — |
| apache | ofbiz | — | — |
| apache_software_foundation | apache_log4j2 | >= log4j-core < 2.17.0 | 2.17.0 |
| debian | apache-log4j2 | < apache-log4j2 2.17.0-1 (bookworm) | apache-log4j2 2.17.0-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| oracle | agile_engineering_data_management | — | — |
| oracle | agile_plm | — | — |
| oracle | agile_plm_mcad_connector | — | — |
| oracle | autovue_for_agile_product_lifecycle_management | — | — |
| oracle | banking_deposits_and_lines_of_credit_servicing | — | — |
| oracle | banking_enterprise_default_management | — | — |
| oracle | banking_enterprise_default_management | — | — |
| oracle | banking_loans_servicing | — | — |
| oracle | banking_party_management | — | — |
| oracle | banking_payments | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_trade_finance | — | — |
| oracle | banking_treasury_management | — | — |
| oracle | business_intelligence | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
vulncheck5.9MEDIUM