CVE-2019-17571 (High) detected in log4j-1.2.17.jar #87
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2019-17571 - High Severity Vulnerability
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /tmp/ws-scm/opensphere-desktop/open-sphere-plugins/imagery/pom.xml
Path to vulnerable library: epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,epository/log4j/log4j/1.2.17/log4j-1.2.17.jar,/root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy:
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.The text was updated successfully, but these errors were encountered: