{"containers":{"cna":{"affected":[{"product":"Apache log4net","vendor":"n/a","versions":[{"status":"affected","version":"Apache log4net up to 2.0.8"}]}],"descriptions":[{"lang":"en","value":"Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files."}],"problemTypes":[{"descriptions":[{"description":"XXE","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-09-09T17:06:20.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"name":"FEDORA-2020-cfc319e067","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"},{"name":"FEDORA-2020-73d380e9b9","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"},{"name":"FEDORA-2020-847775bf79","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"},{"name":"[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC"],"url":"https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"https://issues.apache.org/jira/browse/LOG4NET-575"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"name":"[logging-dev] 20210817 Solution for vulnerability","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20220909-0001/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2018-1285","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache log4net","version":{"version_data":[{"version_value":"Apache log4net up to 2.0.8"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"XXE"}]}]},"references":{"reference_data":[{"name":"FEDORA-2020-cfc319e067","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"},{"name":"FEDORA-2020-73d380e9b9","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"},{"name":"FEDORA-2020-847775bf79","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"},{"name":"[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285","refsource":"MLIST","url":"https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732@%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872@%3Cdev.logging.apache.org%3E"},{"name":"https://www.oracle.com/security-alerts/cpujan2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"name":"https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E","refsource":"MISC","url":"https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"},{"name":"https://issues.apache.org/jira/browse/LOG4NET-575","refsource":"MISC","url":"https://issues.apache.org/jira/browse/LOG4NET-575"},{"name":"https://www.oracle.com/security-alerts/cpuApr2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"name":"[logging-dev] 20210817 Solution for vulnerability","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3@%3Cdev.logging.apache.org%3E"},{"name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"name":"https://security.netapp.com/advisory/ntap-20220909-0001/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20220909-0001/"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T03:59:37.654Z"},"title":"CVE Program Container","references":[{"name":"FEDORA-2020-cfc319e067","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2U233HVAQDSZ2PRG4XSGDASLY3J6ALH/"},{"name":"FEDORA-2020-73d380e9b9","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKL2LPINAI6BCMXOH4V4HVHGLUXIWOFO/"},{"name":"FEDORA-2020-847775bf79","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT2DNNSW7C7FNK3MA3SLEUHGW5USYZKE/"},{"name":"[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r33564de316d4e4ba0fea1d4d079e62cde1ffe64369c1157243d840d9%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r9de86a185575e6c5f92e2a70a1d2e2e9514dc4341251577aac8e3866%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r6543acafca3e2d24ff4b0c364a91540cb9378977ffa8d37a03ab4b0f%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r7ab6b6e702f11a6f77b0db2af2d5e5532f56ae4b99b5fe73c5200b6a%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rdbac24c945ca5c69cd5348b5ac023bc625768f653335de146e09ae2d%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/rd2d72a017e238d1f345f9d14e075c81be16fc68a41c9e9ad9e29a732%40%3Cdev.logging.apache.org%3E"},{"name":"[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r00b16ac5e0bbf7009a0d167ed58f3f94d0033b0f4b3e3d5025cc4872%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://lists.apache.org/thread.html/reab1c277c95310bad1038255e0757857b2fbe291411b4fa84552028a%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://issues.apache.org/jira/browse/LOG4NET-575"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"name":"[logging-dev] 20210817 Solution for vulnerability","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r525cbbd7db0aef4a114cf60de8439aa285decc34904d42a7f14f39c3%40%3Cdev.logging.apache.org%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20220909-0001/"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2018-1285","datePublished":"2020-05-11T16:41:28.000Z","dateReserved":"2017-12-07T00:00:00.000Z","dateUpdated":"2024-08-05T03:59:37.654Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}