Apache Log4cxx: SQL injection when using ODBC appender
CVE-2023-31038

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Log4cxx
Vendor: CVE Published:; 8 May 2023

What is CVE-2023-31038?

Apache Log4cxx is susceptible to SQL injection attacks when the ODBC appender is used without proper escaping of database input. This vulnerability affects any C++ application that logs user input through the ODBC appender, particularly if it is compiled with ODBC support enabled before version 1.1.0. The logs are susceptible to manipulation if user input is passed directly into SQL statements without binding parameters securely. To mitigate this issue, users should upgrade to version 1.1.0 or higher, which ensures that parameters are properly bound in SQL statements. Migrating to the DBAppender class provides enhanced security and flexibility, albeit requiring adjustment of configuration files for proper implementation.

Affected Version(s)

Apache Log4cxx 0.9.0 < 1.1.0

References

https://lists.apache.org/thread/vgjlpdf353vv91gryspwxrzj6...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
Apr 22, 2023