Apache Log4j 2.x < 2.13.2 Information Disclosure Vulnerability - Windows CVE-2020-9488
- CVSSv3 Score
- Vulnerability description
Apache Log4j is prone to an information disclosure vulnerability.
- Risk description
Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. The reported issue was caused by an error in SslConfiguration. Any element using SslConfiguration in the Log4j Configuration is also affected by this issue. This includes HttpAppender, SocketAppender, and SyslogAppender. Usages of SslConfiguration that are configured via system properties are not affected.
Update to version 2.13.2 or later.
- Not available