HomePentest-Tools.com Logo

Apache Log4j 2.x < 2.13.2 Information Disclosure Vulnerability - Windows CVE-2020-9488

Severity
CVSSv3 Score
3.7
Vulnerability description

Apache Log4j is prone to an information disclosure vulnerability.

Risk description

Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. The reported issue was caused by an error in SslConfiguration. Any element using SslConfiguration in the Log4j Configuration is also affected by this issue. This includes HttpAppender, SocketAppender, and SyslogAppender. Usages of SslConfiguration that are configured via system properties are not affected.

Recommendation

Update to version 2.13.2 or later.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Apr 27, 2020
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available