Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: org.apache.logging.log4j:log4j-core
- Introduced through: org.apache.logging.log4j:log4j-slf4j-impl@2.24.3
Detailed paths
-
Introduced through: rtto/lutra-mirror@rtto/lutra-mirror#develop › org.apache.logging.log4j:log4j-slf4j-impl@2.24.3 › org.apache.logging.log4j:log4j-core@2.24.3Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.4.
Overview
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout plugin. An attacker can cause log events to be silently lost or malformed by injecting XML 1.0 forbidden characters into log messages or MDC values. This may result in malformed XML output, which can cause downstream log-processing systems to drop affected records or prevent log events from being delivered to their intended destinations.
Remediation
A fix was pushed into the master branch but not yet published.
References
high severity
- Vulnerable module: org.apache.logging.log4j:log4j-core
- Introduced through: org.apache.logging.log4j:log4j-slf4j-impl@2.24.3
Detailed paths
-
Introduced through: rtto/lutra-mirror@rtto/lutra-mirror#develop › org.apache.logging.log4j:log4j-slf4j-impl@2.24.3 › org.apache.logging.log4j:log4j-core@2.24.3Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.4.
Overview
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop or fail to index affected records by introducing XML 1.0 forbidden characters into log messages, resulting in malformed XML output that conforming XML parsers reject with a fatal error.
Remediation
A fix was pushed into the master branch but not yet published.
References
high severity
- Vulnerable module: org.apache.logging.log4j:log4j-core
- Introduced through: org.apache.logging.log4j:log4j-slf4j-impl@2.24.3
Detailed paths
-
Introduced through: rtto/lutra-mirror@rtto/lutra-mirror#develop › org.apache.logging.log4j:log4j-slf4j-impl@2.24.3 › org.apache.logging.log4j:log4j-core@2.24.3Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.4.
Overview
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading to improper handling of newline escaping for TCP framing and incorrect message formatting for TLS framing. An attacker can inject arbitrary log entries by supplying crafted CRLF sequences in log messages, potentially manipulating log output or bypassing log-based security controls.
Note:
This is only exploitable if the Rfc5424Layout is configured directly with affected attributes in stream-based syslog services.
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.
Remediation
A fix was pushed into the master branch but not yet published.
References
medium severity
- Vulnerable module: org.apache.logging.log4j:log4j-core
- Introduced through: org.apache.logging.log4j:log4j-slf4j-impl@2.24.3
Detailed paths
-
Introduced through: rtto/lutra-mirror@rtto/lutra-mirror#develop › org.apache.logging.log4j:log4j-slf4j-impl@2.24.3 › org.apache.logging.log4j:log4j-core@2.24.3Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.3.
Overview
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.
Workaround
This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.
Remediation
Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.
References
medium severity
- Vulnerable module: org.apache.logging.log4j:log4j-core
- Introduced through: org.apache.logging.log4j:log4j-slf4j-impl@2.24.3
Detailed paths
-
Introduced through: rtto/lutra-mirror@rtto/lutra-mirror#develop › org.apache.logging.log4j:log4j-slf4j-impl@2.24.3 › org.apache.logging.log4j:log4j-core@2.24.3Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.4.
Overview
org.apache.logging.log4j:log4j-core is a logging library for Java.
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the verifyHostName attribute of the <Ssl> element. An attacker can intercept and manipulate network traffic by presenting a certificate issued by a trusted certificate authority to the appender's configured trust store, or the default Java trust store if none is configured. This is only exploitable if an SMTP, Socket, or Syslog appender is in use and TLS is configured via a nested
Note:
This issue is due to incomplete fix for CVE-2025-68161.
Remediation
A fix was pushed into the master branch but not yet published.