GHSA-p6xc-xr62-6r2g - HIGH Vulnerability | GeekWala
Loading...
Skip to main content
GeekWala

GHSA-p6xc-xr62-6r2g

HIGH

Apache Log4j2 vulnerable to Improper Input Validation and Uncontrolled Recursion

Published December 18, 2021Updated May 9, 2025Source: osv

Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use.

Remediation

Upgrade to the fixed version using your package manager.

Maven
Update org.apache.logging.log4j:log4j-core to 2.12.3 or later
<!-- Update pom.xml dependency version to 2.12.3 for org.apache.logging.log4j:log4j-core -->
Maven
Update org.apache.logging.log4j:log4j-core to 2.3.1 or later
<!-- Update pom.xml dependency version to 2.3.1 for org.apache.logging.log4j:log4j-core -->
Maven
Update org.ops4j.pax.logging:pax-logging-log4j2 to 1.11.12 or later
<!-- Update pom.xml dependency version to 1.11.12 for org.ops4j.pax.logging:pax-logging-log4j2 -->
Maven
Update org.ops4j.pax.logging:pax-logging-log4j2 to 1.10.9 or later
<!-- Update pom.xml dependency version to 1.10.9 for org.ops4j.pax.logging:pax-logging-log4j2 -->
Maven
Update org.ops4j.pax.logging:pax-logging-log4j2 to 1.9.2 or later
<!-- Update pom.xml dependency version to 1.9.2 for org.ops4j.pax.logging:pax-logging-log4j2 -->
Maven
Update org.ops4j.pax.logging:pax-logging-log4j2 to 2.0.13 or later
<!-- Update pom.xml dependency version to 2.0.13 for org.ops4j.pax.logging:pax-logging-log4j2 -->
Maven
Update org.apache.logging.log4j:log4j-core to 2.17.0 or later
<!-- Update pom.xml dependency version to 2.17.0 for org.apache.logging.log4j:log4j-core -->

After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.

Affected Packages (7)

PackageEcosystemAffectedFixed In
org.apache.logging.log4j:log4j-core
Maven
2.10.0, 2.11.0, 2.11.1, 2.11.2 (+15 more)2.12.3
org.apache.logging.log4j:log4j-core
Maven
2.0, 2.0-alpha1, 2.0-alpha2, 2.0-beta1 (+15 more)2.3.1
org.ops4j.pax.logging:pax-logging-log4j2
Maven
1.11.0, 1.11.1, 1.11.10, 1.11.11 (+8 more)1.11.12
org.ops4j.pax.logging:pax-logging-log4j2
Maven
1.10.0, 1.10.1, 1.10.2, 1.10.3 (+5 more)1.10.9
org.ops4j.pax.logging:pax-logging-log4j2
Maven
1.8.0, 1.8.1, 1.8.2, 1.8.3 (+6 more)1.9.2
org.ops4j.pax.logging:pax-logging-log4j2
Maven
2.0.0, 2.0.1, 2.0.10, 2.0.11 (+9 more)2.0.13
org.apache.logging.log4j:log4j-core
Maven
2.13.0, 2.13.1, 2.13.2, 2.13.3 (+4 more)2.17.0

Vulnerability Classification

Common Weakness Enumeration (CWE) identifiers for this vulnerability type.

CVSS Score Breakdown

What the CVSS (Common Vulnerability Scoring System) 3.1 score means for each attack dimension.

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References

Risk Assessment

CVSS Score
3.1

Exploitation is difficult or impact is minor. Address in your next planned update.

EPSS Score (30-day exploit probability)
71.36%
Higher than 99% of vulnerabilities

Also Known As

CVE-2021-45105

Check if you're affected

Scan your dependencies to see if this vulnerability affects your projects.

Scan Your Dependencies