Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add affected pax-logging-log4j2 to CVE-2021-44832 #5504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2025
Merged

Add affected pax-logging-log4j2 to CVE-2021-44832 #5504

merged 1 commit into from
May 7, 2025

Conversation

ppkarwasz
Copy link

The pax-logging-log4j2 artifact shades log4j-core with minimal modifications.

The correspondence between pax-logging-log4j2 versions and the embedded log4j-core version is given by the table below:

pax-logging-log4j2 version log4j-core version
2.0.10 2.14.1
2.0.11 2.15.0
2.0.12 2.16.0
2.0.13 2.17.0
2.0.14 2.17.1

@ppkarwasz
Add affected pax-logging-log4j2 to CVE-2021-44832
11c15e6 
The `pax-logging-log4j2` artifact shades `log4j-core` with minimal modifications.

The correspondence between `pax-logging-log4j2` versions and the embedded `log4j-core` version is given by the table below:

| `pax-logging-log4j2` version | `log4j-core` version |
|------------------------------|----------------------|
| 2.0.10                       | 2.14.1               |
| 2.0.11                       | 2.15.0               |
| 2.0.12                       | 2.16.0               |
| 2.0.13                       | 2.17.0               |
| 2.0.14                       | 2.17.1               |
@Copilot Copilot AI review requested due to automatic review settings May 5, 2025 14:57
Copilot
Copilot AI reviewed May 5, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)

@github-actions github-actions bot changed the base branch from main to ppkarwasz/advisory-improvement-5504 May 5, 2025 14:58
@advisory-database advisory-database bot merged commit a459579 into github:ppkarwasz/advisory-improvement-5504 May 7, 2025
2 checks passed
@advisory-database
Copy link
Contributor

Hi @ppkarwasz! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

ppkarwasz added a commit to ppkarwasz/advisory-database that referenced this pull request May 9, 2025
@ppkarwasz
fix: add data for pax-logging-log4j2 version 1.x
3e19bdf 
This PR fixes the ranges of `pax-logging-log4j2` releases affected by
four CVEs in `log4j-core`.

In my previous PRs for CVE-2021-44228 (github#5501), CVE-2021-45046 (github#5502),
CVE-2021-45105 (github#5503), and CVE-44832 (github#5504), all versions 1.x of
`pax-logging-log4j2` were listed as affected.
As it turns out, this is incorrect, since 7 security releases of
version 1.x were created to address those issues, as summarized by the
table below:

| PAX Logging version | Log4j Core version | Fixed CVEs                     |
|---------------------|--------------------|--------------------------------|
| 1.9.2               | 2.12.4             | all 4 CVEs                     |
| 1.10.8              | 2.12.2             | CVE-2021-44228, CVE-2021-45046 |
| 1.10.9              | 2.12.4             | CVE-2021-45105, CVE-2021-44832 |
| 1.11.10             | 2.15.0             | CVE-2021-44228                 |
| 1.11.11             | 2.16.0             | CVE-2021-45046                 |
| 1.11.12             | 2.17.0             | CVE-2021-45105                 |
| 1.11.13             | 2.17.1             | CVE-2021-44832                 |
@ppkarwasz ppkarwasz mentioned this pull request May 9, 2025
Closed
ppkarwasz added a commit to ppkarwasz/advisory-database that referenced this pull request May 9, 2025
@ppkarwasz
fix: pax-logging-log4j2 ranges affected by CVE-2021-44832
d9206f5 
This PR fixes the ranges of `pax-logging-log4j2` affected by CVE-2021-44832.

In my previous PRs for CVE-44832 (github#5504) all versions 1.x of `pax-logging-log4j2` were listed as affected. As it turns out, this is incorrect, since 7 security releases of version 1.x were created to address those issues, as summarized by the table below:

| PAX Logging version | Log4j Core version | Fixed CVEs                     |
|---------------------|--------------------|--------------------------------|
| 1.9.2               | 2.12.4             | all 4 CVEs                     |
| 1.10.8              | 2.12.2             | CVE-2021-44228, CVE-2021-45046 |
| 1.10.9              | 2.12.4             | CVE-2021-45105, CVE-2021-44832 |
| 1.11.10             | 2.15.0             | CVE-2021-44228                 |
| 1.11.11             | 2.16.0             | CVE-2021-45046                 |
| 1.11.12             | 2.17.0             | CVE-2021-45105                 |
| 1.11.13             | 2.17.1             | CVE-2021-44832                 |
@ppkarwasz ppkarwasz mentioned this pull request May 9, 2025
Merged
@ppkarwasz ppkarwasz deleted the fix/cve-2021-44832 branch May 9, 2025 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ppkarwasz