CVE-2022-23307

CWE-502 — Deserialization of Untrusted Data17 documents7 sources

Severity

8.8HIGH

EPSS

2.2%

top 15.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Log4j 1.X Apache Chainsaw Apache Log4j +24 more

Timeline

PublishedJan 18

Latest updateJun 23

Description

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages31 packages

▶NVDapache/chainsaw< 2.1.0

▶NVDapache/log4j1.2 — 2.0

▶CVEListV5apache_software_foundation/apache_log4j_1.x1.2.1 — unspecified+1

▶Debianapache-log4j1.2< 1.2.17-10+deb11u1+3

▶Ubuntuapache-log4j1.2< 1.2.17-4ubuntu3+esm2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

apache-log4j1.2 vulnerabilities↗2025-06-23

▶

OSV

linux-xilinx-zynqmp vulnerabilities↗2024-09-18

▶

OSV

linux-gcp-5.15 vulnerabilities↗2024-07-30

▶

OSV

linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15 vulnerabilities↗2024-07-26

▶

OSV

linux-aws-5.15 vulnerabilities↗2024-07-23

▶

📋Vendor Advisories

Ubuntu

Apache Log4j vulnerabilities↗2025-06-23

▶

Ubuntu

Apache Log4j vulnerabilities↗2023-04-05

▶

Red Hat

log4j: Unsafe deserialization flaw in Chainsaw log viewer↗2022-01-18

▶

Debian

CVE-2022-23307: apache-log4j1.2 - CVE-2020-9493 identified a deserialization issue that was present in Apache Chai...↗2022

▶