Vulnerabilities

 1 via 2 paths

Dependencies

 112

Source

 GitHub

Commit

 4ceb0a09

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.2.3

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git#4ceb0a095a2b5d24943825e3d0636cbeba46a1d8 org.ligoj.bootstrap:bootstrap-business@3.2.3 org.ligoj.bootstrap:bootstrap-core@3.2.3 org.apache.logging.log4j:log4j-core@2.25.2
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git#4ceb0a095a2b5d24943825e3d0636cbeba46a1d8 org.ligoj.bootstrap:bootstrap-business@3.2.3 org.ligoj.bootstrap:bootstrap-core@3.2.3 org.apache.logging.log4j:log4j-slf4j2-impl@2.25.2 org.apache.logging.log4j:log4j-core@2.25.2

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.

Workaround

This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.

Remediation

Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report