You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ma...@apache.org on 2021/12/19 10:17:38 UTC
[archiva-site] 01/02: Adding new security information
This is an automated email from the ASF dual-hosted git repository.
martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva-site.git
commit 19f2dd9a5767fec50695ca784445e5581078619b
Author: Martin Stockhammer <ma...@apache.org>
AuthorDate: Sun Dec 19 11:15:27 2021 +0100
Adding new security information
---
src/site/apt/security.apt | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt
index 136004d..3b6a113 100644
--- a/src/site/apt/security.apt
+++ b/src/site/apt/security.apt
@@ -36,6 +36,14 @@ Security Vulnerabilities
%{toc|fromDepth=2|toDepth=2}
+* {CVE-2021-45105}: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
+
+ This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.
+
+* {CVE-2021-45046}: Apache log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
+
+ This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.
+
* {CVE-2021-44228}: Apache log4j2 is vulnerable to remote code execution
As mentioned in this CVE Apache log4j2 libraries are vulnerable to remote code execution.