Uncontrolled Recursion in org.apache.logging.log4j:log4j-core
CVE-2021-45105
- org.apache.logging.log4j:log4j-core
Summary
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3- for users requiring Java 7 and 2.3.1 for users requiring Java 6) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. Only the log4j-core package is directly affected by this vulnerability.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-674 - Uncontrolled Recursion
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
Advisory Timeline
- Published
