Vulnerabilities

1 via 2 paths

Dependencies

48

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-api
  • Introduced through: org.apache.poi:poi-scratchpad@5.5.1

Detailed paths

  • Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver org.apache.poi:poi-scratchpad@5.5.1 org.apache.logging.log4j:log4j-api@3.0.0-beta2
  • Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver org.apache.poi:poi-scratchpad@5.5.1 org.apache.poi:poi@5.5.1 org.apache.logging.log4j:log4j-api@3.0.0-beta2

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.

Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.

Remediation

A fix was pushed into the master branch but not yet published.

References

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: com.dlsc.pdfviewfx:pdfviewfx@1.9.0

Detailed paths

  • Introduced through: Document-Archiver/com.sophisticatedapps.archiving.document-archiver@Document-Archiver/com.sophisticatedapps.archiving.document-archiver com.dlsc.pdfviewfx:pdfviewfx@1.9.0 org.apache.pdfbox:pdfbox@2.0.24 org.apache.pdfbox:fontbox@2.0.24 junit:junit@4.13.2

EPL-1.0 license