Apache Log4j, a Java-based open source logging tool from the Apache Foundation, is vulnerable to SQL injection, which stems from a JDBCAppender in Log4j 1.2.x that accepts a SQL statement as a configuration parameter, where the value to be inserted is from the PatternLayoutβs converter. The message converter \%m may always be included. An attacker could exploit this vulnerability to manipulate SQL by entering crafted strings into the input fields or headers of the logged application, allowing unexpected SQL queries to be executed.
CPE | Name | Operator | Version |
---|---|---|---|
Apache Log4j >=1.2οΌ | le | 1.2.17 |