CVE-2021-44832

Vulnerable Component Details
Type Namespace Name Version Package URL
maven org.apache.logging.log4j log4j-api 2.16.0 pkg:maven/org.apache.logging.log4j/log4j-api@2.16.0?type=jar
Vulnerability Details
ID CVE-2021-44832
Description Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Recommendation . || State: fixed | Fix Versions: 2.17.1. || Upgrade to versions 2.12.4, 2.17.1 or above.. || Upgrade to versions 2.3.2, 2.12.4, 2.17.1 or above.
Ratings
Severity Score Method Vector Source
None None amazon
6.6 CVSSv31 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H ghsa
8.5 CVSSv2 AV:N/AC:M/Au:S/C:C/I:C/A:C nvd
6.6 CVSSv31 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H nvd
6.6 CVSSv31 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H redhat
None None ubuntu
Related Vulnerabilities
Found By Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index , Aquasec Trivy
References / Advisories
Weakness Enumeration