Vulnerabilities |
1 via 2 paths |
|---|---|
Dependencies |
48 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: org.apache.logging.log4j:log4j-api
- Introduced through: org.apache.poi:poi-scratchpad@5.5.1
Detailed paths
-
Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver › org.apache.poi:poi-scratchpad@5.5.1 › org.apache.logging.log4j:log4j-api@3.0.0-beta2
-
Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver › org.apache.poi:poi-scratchpad@5.5.1 › org.apache.poi:poi@5.5.1 › org.apache.logging.log4j:log4j-api@3.0.0-beta2
Overview
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.
Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Module: junit:junit
- Introduced through: com.dlsc.pdfviewfx:pdfviewfx@1.9.0
Detailed paths
-
Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver › com.dlsc.pdfviewfx:pdfviewfx@1.9.0 › org.apache.pdfbox:pdfbox@2.0.24 › org.apache.pdfbox:fontbox@2.0.24 › junit:junit@4.13.2
EPL-1.0 license