Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2025-13811

Опубликовано: 22 авг. 2025
Источник: fstec
CVSS3: 5.4
CVSS2: 5.5
EPSS Низкий

Описание

Уязвимость фреймворка для логирования на C++ Apache Log4cxx связана с неправильной обработкой выходных данных для журналов регистрации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к конфиденциальным данным

Вендор

Novell Inc.
Сообщество свободного программного обеспечения
ООО «Ред Софт»
Apache Software Foundation

Наименование ПО

openSUSE Tumbleweed
Debian GNU/Linux
РЕД ОС
log4cxx

Версия ПО

- (openSUSE Tumbleweed)
11 (Debian GNU/Linux)
7.3 (РЕД ОС)
до 1.5.0 (log4cxx)

Тип ПО

Операционная система
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

Novell Inc. openSUSE Tumbleweed -
Сообщество свободного программного обеспечения Debian GNU/Linux 11
ООО «Ред Софт» РЕД ОС 7.3

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 5,5)
Средний уровень опасности (базовая оценка CVSS 3.1 составляет 5,4)

Возможные меры по устранению уязвимости

Использование рекомендаций:
https://github.com/apache/logging-log4cxx/pull/514
https://github.com/apache/logging-log4cxx/pull/509
Для РедОС:
https://redos.red-soft.ru/support/secure/uyazvimosti/mnozhestvennye-uyazvimosti-log4cxx-cve-2025-54812-cve-2025-54813-cve-2023-31038/?sphrase_id=1339040
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2025-54812
Для программных продуктов Novell Inc.:
https://www.suse.com/ko-kr/security/cve/CVE-2025-54812.html

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 53%
0.00299
Низкий

5.4 Medium

CVSS3

5.5 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2025-54812

CVSS3: 5.4
ubuntu
3 месяца назад

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

redhat логотип

CVE-2025-54812

CVSS3: 5.4
redhat
3 месяца назад

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

nvd логотип

CVE-2025-54812

CVSS3: 5.4
nvd
3 месяца назад

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

debian логотип

CVE-2025-54812

CVSS3: 5.4
debian
3 месяца назад

Improper Output Neutralization for Logs vulnerability in Apache Log4cx ...

github логотип

GHSA-7mpr-gcjx-jcmw

CVSS3: 5.4
github
3 месяца назад

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

EPSS

Процентиль: 53%
0.00299
Низкий

5.4 Medium

CVSS3

5.5 Medium

CVSS2