CVE-2020-9488

3.7LOW

Key Information:

Vendor: Apache
Status: Apache Log4j
Vendor: CVE Published:; 27 April 2020

Summary

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Affected Version(s)

Apache Log4j log4j-core 2.13.0

Apache Log4j log4j-core < 2.12.3

References

https://lists.apache.org/thread.html/r8c001b9a95c0bbec06f...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r2f209d271349bafd915...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 27, 2020
Vulnerability Reserved
Mar 1, 2020

.