Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: pax-logging-log4j2 ranges affected by CVE-2021-45105 #5522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 9, 2025
Merged

fix: pax-logging-log4j2 ranges affected by CVE-2021-45105 #5522

merged 1 commit into from
May 9, 2025

Conversation

ppkarwasz
Copy link

This PR fixes the ranges of pax-logging-log4j2 affected by CVE-2021-45105.

In my previous PRs for CVE-2021-45105 (#5503) all versions 1.x of pax-logging-log4j2 were listed as affected. As it turns out, this is incorrect, since 7 security releases of version 1.x were created to address those issues, as summarized by the table below:

PAX Logging version Log4j Core version Fixed CVEs
1.9.2 2.12.4 all 4 CVEs
1.10.8 2.12.2 CVE-2021-44228, CVE-2021-45046
1.10.9 2.12.4 CVE-2021-45105, CVE-2021-44832
1.11.10 2.15.0 CVE-2021-44228
1.11.11 2.16.0 CVE-2021-45046
1.11.12 2.17.0 CVE-2021-45105
1.11.13 2.17.1 CVE-2021-44832

@ppkarwasz
fix: pax-logging-log4j2 ranges affected by CVE-2021-45105
fec0142 
This PR fixes the ranges of `pax-logging-log4j2` affected by CVE-2021-45105.

In my previous PRs for CVE-2021-45105 (github#5503) all versions 1.x of `pax-logging-log4j2` were listed as affected. As it turns out, this is incorrect, since 7 security releases of version 1.x were created to address those issues, as summarized by the table below:

| PAX Logging version | Log4j Core version | Fixed CVEs                     |
|---------------------|--------------------|--------------------------------|
| 1.9.2               | 2.12.4             | all 4 CVEs                     |
| 1.10.8              | 2.12.2             | CVE-2021-44228, CVE-2021-45046 |
| 1.10.9              | 2.12.4             | CVE-2021-45105, CVE-2021-44832 |
| 1.11.10             | 2.15.0             | CVE-2021-44228                 |
| 1.11.11             | 2.16.0             | CVE-2021-45046                 |
| 1.11.12             | 2.17.0             | CVE-2021-45105                 |
| 1.11.13             | 2.17.1             | CVE-2021-44832                 |
@Copilot Copilot AI review requested due to automatic review settings May 9, 2025 10:56
Copilot
Copilot AI reviewed May 9, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR corrects the version ranges for the vulnerability in the "pax-logging-log4j2" package affected by CVE-2021-45105. It updates the JSON advisory file to reflect accurate fixed versions for both 1.x and 2.x releases.

  • Added a version range block for the 1.10.x series (introduced "1.10.0" and fixed "1.10.9").
  • Added a version range block for the 1.11.x series (introduced "1.11.0" and fixed "1.11.12").
  • Added a version range block for the 2.0.x series (introduced "2.0.0" and fixed "2.0.13").

@github-actions github-actions bot changed the base branch from main to ppkarwasz/advisory-improvement-5522 May 9, 2025 10:57
@ppkarwasz ppkarwasz mentioned this pull request May 9, 2025
Closed
@ppkarwasz ppkarwasz requested a review from Copilot May 9, 2025 11:53
Copilot
Copilot AI reviewed May 9, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the vulnerability advisory ranges for pax-logging-log4j2 to correctly reflect the versions fixed for CVE-2021-45105.

  • Adds a "fixed": "1.9.2" event to the pre-existing range.
  • Introduces new range blocks for versions 1.10.0–1.10.9 and 1.11.0–1.11.12.
  • Adds a range block intended for later versions with a fixed version of 2.0.13.
Comments suppressed due to low confidence (1)

advisories/github-reviewed/2021/12/GHSA-p6xc-xr62-6r2g/GHSA-p6xc-xr62-6r2g.json:123

  • The range block with a fixed version of "2.0.13" appears to have an incorrect introduced version; it should likely use "introduced": "2.0.0" to accurately represent the 2.x series.
"introduced": "1.11.0"

@advisory-database advisory-database bot merged commit a2286e9 into github:ppkarwasz/advisory-improvement-5522 May 9, 2025
2 checks passed
@advisory-database
Copy link
Contributor

Hi @ppkarwasz! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@ppkarwasz ppkarwasz deleted the pax-logging-1/cve-2021-45105 branch May 9, 2025 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ppkarwasz