1. CVE-Search
  2. CVE-2018-1285
ID CVE-2018-1285
Summary Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:log4net:-:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:-:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.9_beta:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.9_beta:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:log4net:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:log4net:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:19.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_simphony:19.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_simphony:18.2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_simphony:18.2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 27-10-2022 - 20:05)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
refmap via4
fedora
  • FEDORA-2020-73d380e9b9
  • FEDORA-2020-847775bf79
  • FEDORA-2020-cfc319e067
misc
mlist
  • [logging-dev] 20200525 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
  • [logging-dev] 20200525 [CVE-2018-1285] XXE vulnerability in Apache log4net
  • [logging-dev] 20200617 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
  • [logging-dev] 20200730 Re: [CVE-2018-1285] XXE vulnerability in Apache log4net
  • [logging-dev] 20200826 Re: log4net.dll - does 2.0.9 fix CVE-2018-1285
  • [logging-dev] 20200826 log4net.dll - does 2.0.9 fix CVE-2018-1285
  • [logging-dev] 20200906 [VOTE] [log4net] Release 2.0.10
Last major update 27-10-2022 - 20:05
Published 11-05-2020 - 17:15
Last modified 27-10-2022 - 20:05
Back to Top