XXE Vulnerability in Apache log4net Affecting Multiple Versions
CVE-2018-1285

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Log4net
Vendor: CVE Published:; 11 May 2020

🔔 Create Apache Vulnerability Alert

Badges

👾 Exploit Exists🟣 EPSS 49%

What is CVE-2018-1285?

The vulnerability in Apache log4net allows attackers to execute XXE-based attacks due to insufficient handling of XML external entities when parsing log4net configuration files. This log4net version flaw can lead to exposure of sensitive data or service disruption, making applications that utilize attacker-controlled log4net configuration files susceptible to exploitation.

Affected Version(s)

Apache log4net Apache log4net up to 2.0.8

References

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 31, 2021
👾
Exploit known to exist
Dec 31, 2021
Vulnerability published
May 11, 2020
Vulnerability Reserved
Dec 7, 2017

CVE-2018-1285 Data

.