You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by rg...@apache.org on 2022/01/17 20:42:00 UTC

[logging-log4j-site] branch asf-staging updated: Fix typo

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-log4j-site.git


The following commit(s) were added to refs/heads/asf-staging by this push:
     new 52a159e  Fix typo
52a159e is described below

commit 52a159e90e0e818f72461c4b2e62c0663eec67e3
Author: Ralph Goers <rg...@apache.org>
AuthorDate: Mon Jan 17 13:41:52 2022 -0700

    Fix typo
---
 log4j-1.2.17/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/log4j-1.2.17/index.html b/log4j-1.2.17/index.html
index 1dcf5cd..aa98382 100644
--- a/log4j-1.2.17/index.html
+++ b/log4j-1.2.17/index.html
@@ -159,8 +159,8 @@
                 <p><a href="https://www.cvedetails.com/cve/CVE-2019-17571/">CVE-2019-17571</a> is a high severity issue targeting the SocketServer. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. 
                 This can provide an attack vector that can be expoited.</p>
                 <p><a href="https://www.cvedetails.com/cve/CVE-2020-9488/">CVE-2020-9488</a> is a moderate severity issue with the SMTPAppender. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.</p>
-                <p><a href="https://www.cvedetails.com/cve/CVE-2021-4104/">CVE-2021-4104</a> is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
-                <p><a href="https://www.cvedetails.com/cve/CVE-2022-23302/">CVE-2022-23302</a> is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, he attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
+                <p><a href="https://www.cvedetails.com/cve/CVE-2021-4104/">CVE-2021-4104</a> is a high severity deserialization vulnerability in JMSAppender. JMSAppender uses JNDI in an unprotected manner allowing any application using the JMSAppender to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
+                <p><a href="https://www.cvedetails.com/cve/CVE-2022-23302/">CVE-2022-23302</a> is a high severity deserialization vulnerability in JMSSink. JMSSink uses JNDI in an unprotected manner allowing any application using the JMSSink to be vulnerable if it is configured to reference an untrusted site or if the site referenced can be accesseed by the attacker. For example, the attacker can cause remote code execution by manipulating the data in the LDAP store.</p>
                 <p><a href="https://www.cvedetails.com/cve/CVE-2022-23305/">CVE-2022-23305</a> is a high serverity SQL injection flaw in JDBCAppender that allows the data being logged to modify the behavior of the component. By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL [...]
                 <p><a href="https://www.cvedetails.com/cve/CVE-2022-23307/">CVE-2022-23307</a> is a critical severity against the chainsaw component in Log4j 1.x. This is the same issue corrected in CVE-2020-9493 fixed in Chainsaw 2.1.0 but Chainsaw was included as part of Log4j 1.2.x.</p> 
               <h2>Java Version Incompatibilities</h2>