Vulnerabilities

 1 via 2 paths

Dependencies

 26

Source

 GitHub

Commit

 391df0b2

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 1
  • 1
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.17.2 and org.apache.logging.log4j:log4j-slf4j-impl@2.17.2

Detailed paths

  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-core@2.17.2
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.3.
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-core@2.17.2
    Remediation: Upgrade to org.apache.logging.log4j:log4j-slf4j-impl@2.25.3.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.

Workaround

This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.

Remediation

Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: org.apache.logging.log4j:log4j-core@2.17.2 and org.apache.logging.log4j:log4j-slf4j-impl@2.17.2

Detailed paths

  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-core@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-core@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.jupiter:junit-jupiter-migrationsupport@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.jupiter:junit-jupiter-migrationsupport@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-core@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-core@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-core@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.jupiter:junit-jupiter-migrationsupport@5.8.2 junit:junit@4.13.2
  • Introduced through: toolisticon/keycloak-gdpr-module@toolisticon/keycloak-gdpr-module#391df0b2736dbded52b8d32e93cde90afc4644f5 org.apache.logging.log4j:log4j-slf4j-impl@2.17.2 org.apache.logging.log4j:log4j-core@2.17.2 org.apache.logging.log4j:log4j-api@2.17.2 org.junit.vintage:junit-vintage-engine@5.8.2 junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report