Back to search
CVE-2018-1285
Published: May 11, 2020
Modified: Aug 5, 2024
PUBLISHED
Description
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
| Vendor | Product | Versions |
|---|---|---|
n/a | Apache log4net | affected Apache log4net up to 2.0.8 |
References
FEDORA-2020-cfc319e067
vendor-advisory
x_refsource_FEDORA
FEDORA-2020-73d380e9b9
vendor-advisory
x_refsource_FEDORA
FEDORA-2020-847775bf79
vendor-advisory
x_refsource_FEDORA
[logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net
mailing-list
x_refsource_MLIST
[logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
mailing-list
x_refsource_MLIST
[logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
mailing-list
x_refsource_MLIST
[logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
mailing-list
x_refsource_MLIST
[logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285
mailing-list
x_refsource_MLIST
[logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285
mailing-list
x_refsource_MLIST
[logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2021.html
x_refsource_MISC
https://issues.apache.org/jira/browse/LOG4NET-575
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.html
x_refsource_MISC
[logging-dev] 20210817 Solution for vulnerability
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220909-0001/
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now