apache/log4net: The latest CVE Vulnerabilities and Exploits for Penetration Test

 

Page content

apache/log4net Vulnerability Summary

  • Vendor name: apache
  • Product name: log4net
  • Total vulnerabilities: 2 (as 2023-05-04)

apache/log4net Vulnerability List

CVE-2018-1285: Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net…

Published: 2020-05-11T17:15:00 Last Modified: 2021-09-21T17:10:00

Summary

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Common Weakness Enumeration (CWE): CWE-611: Improper Restriction of XML External Entity Reference

CWE Description: The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Scores

  • Impact Score: 6.4
  • Exploitability Score: 10.0
  • CVSS: 7.5
  • CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

  • Availability: PARTIAL
  • Confidentiality: PARTIAL
  • Integrity: PARTIAL

Access

  • Authentication: NONE
  • Complexity: LOW
  • Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-1285 vulnerability.

References

See also: All popular products CVE Vulnerabilities of apache

CVE-2006-0743: Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote…

Published: 2006-03-09T20:02:00 Last Modified: 2017-07-20T01:30:00

Summary

Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors.

Common Weakness Enumeration (CWE): CWE-134: Use of Externally-Controlled Format String

CWE Description: The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

Scores

  • Impact Score: 2.9
  • Exploitability Score: 10.0
  • CVSS: 5.0
  • CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact

  • Availability: PARTIAL
  • Confidentiality: NONE
  • Integrity: NONE

Access

  • Authentication: NONE
  • Complexity: LOW
  • Vector: NETWORK

Currently, there is no code for exploiting the CVE-2006-0743 vulnerability.

References

See also: All popular products CVE Vulnerabilities of apache