[Checkmarx][OSA] CVE-2019-17571 - Score 9.8 - log4j:log4j:1.2.17
miguelfreitas93 opened this issue · comments
** Library Details **
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
** Library Severity Details **
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
** CVE Details **
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
** Recommendations **
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
** Library Details **
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
** Library Severity Details **
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
** CVE Details **
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
** Recommendations **
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Library Details
Library ID: 77F11F4BDDF69297B12338AEBF167C77896681C1
Library Name: log4j:log4j
Library Version: 1.2.17
Library Source File Name:
Library Confidence Level: 100
Library Severity Details
Library High Vulnerabilities: 0
Library Medium Vulnerabilities: 0
Library Low Vulnerabilities: 0
CVE Details
CVE Name: CVE-2019-17571
CVE Score: 9.8
Severity: High
State: TO_VERIFY
CVE Publish Date: 2019-12-20T17:15:00
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
CVE Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j 1.2 up to 1.2.17.
NOTE: Log4j 1.2 is end-of-life since 2015 and will not be fixed.
MITIGATION: Migrate to 2.8.2 or above.
Recommendations
Library Newest Version: null
Library Newest Version Release Date: null
Library Number of Versions Since Last Update: 0
Recommendations: Fix unavailable
Vulnerability does not exist anymore
Vulnerability does not exist anymore