Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2018-1285

Published: 11/05/2020 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

Apache log4net versions prior to 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache log4net

fedoraproject fedora 30

fedoraproject fedora 31

fedoraproject fedora 32

oracle application testing suite 13.3.0.1

oracle hospitality simphony 19.1.3

oracle hospitality simphony 18.2.7.2

oracle hospitality opera 5 5.5

oracle hospitality opera 5 5.6

netapp snapcenter -

netapp manageability software development kit -

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2018-1285
Debian Bug report logs - #977468 CVE-2018-1285 Package: src:log4net; Maintainer for src:log4net is Debian CLI Libraries Team <pkg-cli-libs-team@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 15 Dec 2020 12:21:06 UTC Severity: important Tags: security Forwarded to iss ...

Mailing Lists

Full Disclosure: [CVE-2018-1285] XXE vulnerability in Apache log4net
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> [CVE-2018-1285] XXE vulnerability in Apache log4net <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Matt Sicker & ...

Github Repositories

https://github.com/SeppPenner/outlookcaldavsynchronizer-german-readme

Translation for the outlookcaldavsynchronizer's Readme:

Outlook CalDav Synchronizer Outlook-Plugin, welches Ereignisse, Aufgaben und Kontakte zwischen Outlook und Google, SOGo, Horde oder einem anderen CalDAV- oder CardDAV-Server synchronisiert Unterstützte Outlook-Versionen sind 2019, 2016, 2013, 2010 und 2007 Projekt-Homepage caldavsynchronizerorg Lizenz Affero GNU Public License Autoren Gerhard Zehetbauer Alexande

https://github.com/shiftingleft/dotnet-scm-test

DotNetTest A minimal C# application that deliberately references NuGet packages with known vulnerabilities While the following components are included as references in the project file DotNetTestcsproj, the only file containing code, Programcs, does not reference any of these vulnerable components Components referenced Component ID Version Highest CVSS Score CVE ID(s)

https://github.com/alex-ermolaev/Log4NetSolarWindsSNMP-

Test application for CVE-2018-1285 alert for Solarwinds DLLs

Log4NetSolarWindsSNMP- Test application for CVE-2018-1285 alert for Solarwinds DLLs

https://github.com/aluxnimm/outlookcaldavsynchronizer

Sync Outlook with Google, SOGo, Nextcloud or any other CalDAV/CardDAV server

Outlook CalDav Synchronizer Outlook Plugin, which synchronizes events, tasks and contacts between Outlook and Google, SOGo, Horde or any other CalDAV or CardDAV server Supported Outlook versions are 2021, 2019, 2016, 2013, 2010 and 2007 and Office 365 for Desktop Project Homepage caldavsynchronizerorg License Affero GNU Public License Authors Gerhard Zehetbauer Alexa

References

CWE-611https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3Ehttps://issues.apache.org/jira/browse/LOG4NET-575https://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://security.netapp.com/advisory/ntap-20220909-0001/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3Ehttps://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977468https://nvd.nist.govhttps://github.com/SeppPenner/outlookcaldavsynchronizer-german-readme
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook