Apache Log4cxx: SQL injection when using ODBC appender
CVE-2023-31038

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Log4cxx
Vendor: CVE Published:; 8 May 2023

What is CVE-2023-31038?

Apache Log4cxx is susceptible to SQL injection attacks when the ODBC appender is used without proper escaping of database input. This vulnerability affects any C++ application that logs user input through the ODBC appender, particularly if it is compiled with ODBC support enabled before version 1.1.0. The logs are susceptible to manipulation if user input is passed directly into SQL statements without binding parameters securely. To mitigate this issue, users should upgrade to version 1.1.0 or higher, which ensures that parameters are properly bound in SQL statements. Migrating to the DBAppender class provides enhanced security and flexibility, albeit requiring adjustment of configuration files for proper implementation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Log4cxx 0.9.0 < 1.1.0

References

https://lists.apache.org/thread/vgjlpdf353vv91gryspwxrzj6...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 8, 2023
Vulnerability Reserved
Apr 22, 2023

JSON

Apache

What is CVE-2023-31038?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.