Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mN3ZoLXF3cDMteDM3bc0kWQ
Deserialization of Untrusted Data in Apache Log4j
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Users are advised to migrate from log4j:log4j to org.apache.logging.log4j:log4j for an updated version of the library.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mN3ZoLXF3cDMteDM3bc0kWQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 6 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-f7vh-qwp3-x37m, CVE-2022-23307
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23307
- https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
- https://logging.apache.org/log4j/1.2/index.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-f7vh-qwp3-x37m
Affected Packages
maven:org.zenframework.z8.dependencies.commons:log4j-1.2.17
Dependent packages: 1Dependent repositories: 6
Downloads:
Affected Version Ranges: <= 2.0
No known fixed version
All affected versions:
maven:log4j:log4j
Dependent packages: 13,845Dependent repositories: 236,580
Downloads:
Affected Version Ranges: <= 1.2.17
No known fixed version
All affected versions: 1.1.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17