Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.logging.log4j:log4j(Maven) | 2.13.0 | 2.13.2 | N/A |
| org.apache.logging.log4j:log4j-core(Maven) | 2.13.0 | 2.13.2 | N/A |
| org.apache.logging.log4j:log4j(Maven) | 2.4.0 | 2.12.3 | N/A |
| org.apache.logging.log4j:log4j(Maven) | 0 | 2.3.2 | N/A |
| org.apache.logging.log4j:log4j-core(Maven) | 2.4.0 | 2.12.3 | N/A |
| org.apache.logging.log4j:log4j-core(Maven) | 0 | 2.3.2 | N/A |
CVSS Metrics
