{"containers": {"cna": {"affected": [{"product": "Apache log4net", "vendor": "n/a", "versions": [{"status": "affected", "version": "Apache log4net up to 2.0.8"}]}], "descriptions": [{"lang": "en", "value": "Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files."}], "problemTypes": [{"descriptions": [{"description": "XXE", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-09T17:06:20", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "FEDORA-2020-cfc319e067", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"}, {"name": "FEDORA-2020-73d380e9b9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"}, {"name": "FEDORA-2020-847775bf79", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"}, {"name": "[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://issues.apache.org/jira/browse/LOG4NET-575"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "[logging-dev] 20210817 Solution for vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220909-0001/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2018-1285", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache log4net", "version": {"version_data": [{"version_value": "Apache log4net up to 2.0.8"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XXE"}]}]}, "references": {"reference_data": [{"name": "FEDORA-2020-cfc319e067", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"}, {"name": "FEDORA-2020-73d380e9b9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"}, {"name": "FEDORA-2020-847775bf79", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"}, {"name": "[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732@%3Cdev.logging.apache.org%3E"}, {"name": "[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872@%3Cdev.logging.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"}, {"name": "https://issues.apache.org/jira/browse/LOG4NET-575", "refsource": "MISC", "url": "https://issues.apache.org/jira/browse/LOG4NET-575"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "[logging-dev] 20210817 Solution for vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3@%3Cdev.logging.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20220909-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220909-0001/"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-1285", "datePublished": "2020-05-11T16:41:28", "dateReserved": "2017-12-07T00:00:00", "dateUpdated": "2022-09-09T17:06:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*", "matchCriteriaId": "25722484-A982-4D6B-A740-7196B27E1E06", "versionEndExcluding": "2.0.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*", "matchCriteriaId": "A1817C30-7B0B-441A-9567-B8DD7C6E646C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*", "matchCriteriaId": "95D6A426-B914-401F-9AB0-5F5E3A3FE138", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_simphony:18.2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "455173C4-7FCF-45F9-8F6F-DC00D77B32A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_simphony:19.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "642DE02B-F471-4922-9AFB-FBA0C29D7E8A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*", "matchCriteriaId": "D39DCAE7-494F-40B2-867F-6C6A077939DD", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files."}, {"lang": "es", "value": "Apache log4net versiones anteriores a 2.0.10, no deshabilita las entidades externas XML cuando analiza los archivos de configuraci\u00f3n de log4net. Esto permite realizar ataques basados en XXE en aplicaciones que aceptan archivos de configuraci\u00f3n log4net controlados por el atacante"}], "id": "CVE-2018-1285", "lastModified": "2023-11-07T02:55:54.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-11T17:15:10.923", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/LOG4NET-575"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220909-0001/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}