You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@archiva.apache.org by ma...@apache.org on 2021/12/19 10:17:38 UTC

[archiva-site] 01/02: Adding new security information

This is an automated email from the ASF dual-hosted git repository.

martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva-site.git

commit 19f2dd9a5767fec50695ca784445e5581078619b
Author: Martin Stockhammer <ma...@apache.org>
AuthorDate: Sun Dec 19 11:15:27 2021 +0100

    Adding new security information
---
 src/site/apt/security.apt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt
index 136004d..3b6a113 100644
--- a/src/site/apt/security.apt
+++ b/src/site/apt/security.apt
@@ -36,6 +36,14 @@ Security Vulnerabilities
 
 %{toc|fromDepth=2|toDepth=2}
 
+* {CVE-2021-45105}: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation
+
+  This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.
+  
+* {CVE-2021-45046}: Apache log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
+ 
+  This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.
+
 * {CVE-2021-44228}: Apache log4j2 is vulnerable to remote code execution
 
   As mentioned in this CVE Apache log4j2 libraries are vulnerable to remote code execution.