CVE: 2022-23307 found in Apache Log4j - Version: 1.2.17 [JAVA] #844
Description
Veracode Software Composition Analysis
| Attribute | Details |
|---|---|
| Library | Apache Log4j |
| Description | Apache Log4j 1.2 |
| Language | JAVA |
| Vulnerability | Remote Code Execution (RCE) |
| Vulnerability description | Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. |
| CVE | 2022-23307 |
| CVSS score | 9 |
| Vulnerability present in version/s | 1.1.3-1.2.17 |
| Found library version/s | 1.2.17 |
| Vulnerability fixed in version | |
| Library latest version | 1.2.17 |
| Fix | There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible |
Links: