Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.
| Score | Percentile |
|---|---|
| 49.02% | 97.63% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2cwj-8chv-9pp9 ↗ |
| CVE | CVE-2018-1285 ↗ |
| CWE id | Name |
|---|---|
| CWE-611 | Improper Restriction of XML External Entity Reference |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| nuget | log4net | < 2.0.10 | 2.0.10 | — |