CVE-2018-1285
high-risk
Published 2020-05-11
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Do I need to act?
!
49.0% chance of exploitation in next 30 days
EPSS score — higher than 51% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (11)
Manageability Software Development Kit
Affected Vendors
References (34)
Issue Tracking
https://issues.apache.org/jira/browse/LOG4NET-575
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220909-0001/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Issue Tracking
https://issues.apache.org/jira/browse/LOG4NET-575
and 14 more references
66
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
18/34 · Moderate
Exposure
16/34 · Moderate