Giters

matteobaccan / owner

Get rid of the boilerplate code in properties based configuration.

Home Page:https://matteobaccan.github.io/owner/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2022-23307 (High) detected in log4j-1.2.17.jar

mend-bolt-for-github opened this issue · comments

commented

CVE-2022-23307 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /owner-extras/pom.xml

Path to vulnerable library: /owner-extras/pom.xml

Dependency Hierarchy:

  • curator-framework-4.3.0.jar (Root Library)
    • curator-client-4.3.0.jar
      • zookeeper-3.5.7.jar
        • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 12e21721ff1098fe44de120bf2737fd994f40fa6

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here