Vulnerabilities
Log4Shell in dependency log4j-core
criticalopenDescription
The bundled log4j-core 2.14 is vulnerable to remote code execution via a crafted ${jndi:ldap://...} lookup. Upgrade to 2.17.1+.
Affected code
pom.xml<dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> <version>2.14.1</version> </dependency>
Details
- Severity
- critical
- CVSS
- 10.0
- CVE
- CVE-2021-44228
- CWE
- CWE-502
- File
- pom.xml
- Status
- open
Remediation
No remediation generated yet. The engineer agent proposes a patch when this finding is triaged.