Vulnerability-Lookup

RHSA-2026:21773

Vulnerability from csaf_redhat - Published: 2026-05-28 22:46 - Updated: 2026-05-29 09:03

Summary

Red Hat Security Advisory: Red Hat Offline Knowledge Portal security and content update

Severity

Important

Notes

Topic: Red Hat Offline Knowledge Portal security fixes, bug fixes, enhancements & content update

Details: This Red Hat Offline Knowledge Portal release upgrades from Solr 9.8.1 to Solr 10.0.0, and fixes several CVEs. It also includes content updates as of May 26 2026.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-11143

A flaw was found in org.eclipse.jetty. The Jetty URI parser handles invalid or unusual Uniform Resource Identifiers (URIs) differently compared to other common parsers. This discrepancy, known as differential parsing, can lead to security bypasses in systems that use multiple components to process URIs, such as when a blacklist enforcement component interprets a URI differently from a response generation component. At a minimum, this issue could unintentionally reveal internal system details.

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix

Threats

Impact Low

CVE-2026-2332

A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-34477

A flaw was found in Apache Log4j Core. A network-based attacker can perform a man-in-the-middle (MITM) attack, allowing them to intercept encrypted communications. This occurs when an SMTP, Socket, or Syslog appender uses Transport Layer Security (TLS) with a nested <Ssl> element, and the attacker has a certificate from a trusted Certificate Authority (CA). The vulnerability stems from an incomplete hostname verification fix, making TLS connections susceptible to interception.

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-295 - Improper Certificate Validation

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-34478

A flaw was found in Apache Log4j Core. This vulnerability allows for log injection through the use of Carriage Return Line Feed (CRLF) sequences. This occurs because security-related configuration attributes were silently renamed, impacting users who directly configure Rfc5424Layout with stream-based syslog services. An attacker could exploit this to inject malicious data into log files, potentially obscuring critical security events or manipulating system records.

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-34479

A flaw was found in the Apache Log4j 1-to-Log4j 2 bridge. The Log4j1XmlLayout component fails to properly escape characters forbidden by the XML 1.0 standard. This improper handling of characters results in malformed XML output, which can cause downstream log processing systems to drop or fail to index affected records. The primary consequence is a denial of service for log analysis, potentially hindering security monitoring and incident response.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-91 - XML Injection (aka Blind XPath Injection)

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-34480

A flaw was found in Apache Log4j Core. The XmlLayout component, responsible for formatting log messages into XML, does not properly remove or replace characters that are not allowed in XML 1.0. When log messages or diagnostic information contain these forbidden characters, the resulting XML output becomes invalid. This can lead to two main issues: either systems processing these logs will fail to read the affected records, or the logging process itself will stop delivering events, both resulting in a denial of service for logging operations.

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-168 - Improper Handling of Inconsistent Special Elements

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-34481

A flaw was found in Apache Log4j's JsonTemplateLayout. This vulnerability allows a remote attacker to disrupt log processing systems. By sending log events that include specific non-numeric floating-point values, the attacker can cause the JsonTemplateLayout to generate invalid JSON output. This invalid output can then lead to downstream systems rejecting or failing to index these logs, effectively causing a denial of service for log analysis.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-241 - Improper Handling of Unexpected Data Type

Affected products

Fixed 2 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64		—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64		—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

64 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:21773	self
https://access.redhat.com/products/red-hat-offlin…	external
https://access.redhat.com/security/cve/CVE-2025-11143	external
https://access.redhat.com/security/cve/CVE-2026-2332	external
https://access.redhat.com/security/cve/CVE-2026-34477	external
https://access.redhat.com/security/cve/CVE-2026-34478	external
https://access.redhat.com/security/cve/CVE-2026-34479	external
https://access.redhat.com/security/cve/CVE-2026-34480	external
https://access.redhat.com/security/cve/CVE-2026-34481	external
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/red_hat_…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-11143	self
https://bugzilla.redhat.com/show_bug.cgi?id=2444808	external
https://www.cve.org/CVERecord?id=CVE-2025-11143	external
https://nvd.nist.gov/vuln/detail/CVE-2025-11143	external
https://github.com/jetty/jetty.project/security/a…	external
https://access.redhat.com/security/cve/CVE-2026-2332	self
https://bugzilla.redhat.com/show_bug.cgi?id=2458187	external
https://www.cve.org/CVERecord?id=CVE-2026-2332	external
https://nvd.nist.gov/vuln/detail/CVE-2026-2332	external
https://github.com/jetty/jetty.project/security/a…	external
https://gitlab.eclipse.org/security/cve-assignmen…	external
https://access.redhat.com/security/cve/CVE-2026-34477	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457319	external
https://www.cve.org/CVERecord?id=CVE-2026-34477	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34477	external
https://github.com/apache/logging-log4j2/pull/4075	external
https://lists.apache.org/thread/lkx8cl46t2bvkcwfc…	external
https://logging.apache.org/cyclonedx/vdr.xml	external
https://logging.apache.org/log4j/2.x/manual/appen…	external
https://logging.apache.org/security.html#CVE-2026-34477	external
https://access.redhat.com/security/cve/CVE-2026-34478	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457323	external
https://www.cve.org/CVERecord?id=CVE-2026-34478	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34478	external
https://github.com/apache/logging-log4j2/pull/4074	external
https://lists.apache.org/thread/3k1clr2l6vkdnl4cb…	external
https://logging.apache.org/log4j/2.x/manual/layou…	external
https://logging.apache.org/security.html#CVE-2026-34478	external
https://access.redhat.com/security/cve/CVE-2026-34479	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457313	external
https://www.cve.org/CVERecord?id=CVE-2026-34479	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34479	external
https://github.com/apache/logging-log4j2/pull/4078	external
https://lists.apache.org/thread/gd0hp6mj17rn3kj27…	external
https://logging.apache.org/log4j/2.x/migrate-from…	external
https://logging.apache.org/security.html#CVE-2026-34479	external
https://access.redhat.com/security/cve/CVE-2026-34480	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457328	external
https://www.cve.org/CVERecord?id=CVE-2026-34480	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34480	external
https://github.com/apache/logging-log4j2/pull/4077	external
https://lists.apache.org/thread/5x0hcnng0chhghp6j…	external
https://logging.apache.org/log4j/2.x/manual/layou…	external
https://logging.apache.org/security.html#CVE-2026-34480	external
https://access.redhat.com/security/cve/CVE-2026-34481	self
https://bugzilla.redhat.com/show_bug.cgi?id=2457321	external
https://www.cve.org/CVERecord?id=CVE-2026-34481	external
https://nvd.nist.gov/vuln/detail/CVE-2026-34481	external
https://github.com/apache/logging-log4j2/pull/4080	external
https://lists.apache.org/thread/n34zdv00gbkdbzt2r…	external
https://logging.apache.org/log4j/2.x/manual/json-…	external
https://logging.apache.org/security.html#CVE-2026-34481	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Offline Knowledge Portal security fixes, bug fixes, enhancements \u0026 content update",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This Red Hat Offline Knowledge Portal release upgrades from Solr 9.8.1 to Solr 10.0.0, and fixes several CVEs. It also includes content updates as of May 26 2026.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:21773",
        "url": "https://access.redhat.com/errata/RHSA-2026:21773"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/products/red-hat-offline-knowledge-portal",
        "url": "https://access.redhat.com/products/red-hat-offline-knowledge-portal"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-11143",
        "url": "https://access.redhat.com/security/cve/CVE-2025-11143"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-2332",
        "url": "https://access.redhat.com/security/cve/CVE-2026-2332"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34477",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34477"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34478",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34478"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34479",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34479"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34480",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34480"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-34481",
        "url": "https://access.redhat.com/security/cve/CVE-2026-34481"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_offline_knowledge_portal/1",
        "url": "https://docs.redhat.com/en/documentation/red_hat_offline_knowledge_portal/1"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_21773.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Offline Knowledge Portal security and content update",
    "tracking": {
      "current_release_date": "2026-05-29T09:03:14+00:00",
      "generator": {
        "date": "2026-05-29T09:03:14+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2026:21773",
      "initial_release_date": "2026-05-28T22:46:23+00:00",
      "revision_history": [
        {
          "date": "2026-05-28T22:46:23+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-28T22:46:32+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-29T09:03:14+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Offline Knowledge Portal 1.2.4",
                "product": {
                  "name": "Red Hat Offline Knowledge Portal 1.2.4",
                  "product_id": "Red Hat Offline Knowledge Portal 1.2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:offline_knowledge_portal:1.2::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Offline Knowledge Portal"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64",
                "product": {
                  "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64",
                  "product_id": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhokp-rhel9@sha256%3Aec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36?arch=amd64\u0026repository_url=registry.redhat.io/offline-knowledge-portal/rhokp-rhel9\u0026tag=1779996999"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
                "product": {
                  "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
                  "product_id": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhokp-rhel9@sha256%3Ab26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e?arch=arm64\u0026repository_url=registry.redhat.io/offline-knowledge-portal/rhokp-rhel9\u0026tag=1779996999"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64 as a component of Red Hat Offline Knowledge Portal 1.2.4",
          "product_id": "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64"
        },
        "product_reference": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
        "relates_to_product_reference": "Red Hat Offline Knowledge Portal 1.2.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64 as a component of Red Hat Offline Knowledge Portal 1.2.4",
          "product_id": "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        },
        "product_reference": "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64",
        "relates_to_product_reference": "Red Hat Offline Knowledge Portal 1.2.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11143",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-03-05T10:00:56.604564+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2444808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in org.eclipse.jetty. The Jetty URI parser handles invalid or unusual Uniform Resource Identifiers (URIs) differently compared to other common parsers. This discrepancy, known as differential parsing, can lead to security bypasses in systems that use multiple components to process URIs, such as when a blacklist enforcement component interprets a URI differently from a response generation component. At a minimum, this issue could unintentionally reveal internal system details.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypass due to differential URI parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as Low by Red Hat. Successful usage of this vulnerability is non-trivial, as the attacker must be able to craft a URI that exploits Jetty\u0027s differential parsing while bypassing other parsers (ex. in a firewall or load balancer). Additionally, divulging implementation details is possible but not guaranteed while also being indirect, meaning that an attacker may be able to obtain error messages or behavioral differences, but those are not guaranteed. As such, there is likely no direct leak of sensitive data.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-11143"
        },
        {
          "category": "external",
          "summary": "RHBZ#2444808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-11143",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-11143"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh"
        }
      ],
      "release_date": "2026-03-05T09:26:59.830000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "org.eclipse.jetty/jetty-http: org.eclipse.jetty: Security bypass due to differential URI parsing"
    },
    {
      "cve": "CVE-2026-2332",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2026-04-14T12:01:05.768902+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2458187"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse Jetty. The HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used. An attacker can inject crafted requests to manipulate and trick the parser. This issue can lead to security controls bypass, cache poisoning or unauthorized endpoint access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to send a crafted payload to a Jetty server that is behind a reverse proxy or load balancer, specifically with a chunk extension that includes an unclosed double quote before the CRLF to trick the parser. This flaw allows an attacker to bypass security controls, cause cache poisoning or gain unauthorized endpoint access. Due to these reasons, this vulnerability has been rated with an important severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "RHBZ#2458187",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458187"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-2332",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2332"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89",
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"
        }
      ],
      "release_date": "2026-04-14T10:59:10.193000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing"
    },
    {
      "cve": "CVE-2026-34477",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "discovery_date": "2026-04-10T16:01:36.691709+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457319"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Log4j Core. A network-based attacker can perform a man-in-the-middle (MITM) attack, allowing them to intercept encrypted communications. This occurs when an SMTP, Socket, or Syslog appender uses Transport Layer Security (TLS) with a nested \u003cSsl\u003e element, and the attacker has a certificate from a trusted Certificate Authority (CA). The vulnerability stems from an incomplete hostname verification fix, making TLS connections susceptible to interception.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34477"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457319",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457319"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34477",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34477"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34477",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34477"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/4075",
          "url": "https://github.com/apache/logging-log4j2/pull/4075"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4",
          "url": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/cyclonedx/vdr.xml",
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName",
          "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/security.html#CVE-2026-34477",
          "url": "https://logging.apache.org/security.html#CVE-2026-34477"
        }
      ],
      "release_date": "2026-04-10T15:36:19.740000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Man-in-the-middle attack due to incomplete hostname verification"
    },
    {
      "cve": "CVE-2026-34478",
      "cwe": {
        "id": "CWE-93",
        "name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
      },
      "discovery_date": "2026-04-10T16:01:52.683616+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457323"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Log4j Core. This vulnerability allows for log injection through the use of Carriage Return Line Feed (CRLF) sequences. This occurs because security-related configuration attributes were silently renamed, impacting users who directly configure Rfc5424Layout with stream-based syslog services. An attacker could exploit this to inject malicious data into log files, potentially obscuring critical security events or manipulating system records.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability allows log injection via CRLF sequences due to silently renamed security attributes in Rfc5424Layout. This affects Red Hat products that directly configure Rfc5424Layout with stream-based syslog services, potentially enabling an attacker to obscure or manipulate log records. This impact is limited to specific configurations, as users of the SyslogAppender are not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34478"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457323",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457323"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34478",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34478"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34478",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34478"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/4074",
          "url": "https://github.com/apache/logging-log4j2/pull/4074"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt",
          "url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/cyclonedx/vdr.xml",
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout",
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/security.html#CVE-2026-34478",
          "url": "https://logging.apache.org/security.html#CVE-2026-34478"
        }
      ],
      "release_date": "2026-04-10T15:40:17.713000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames"
    },
    {
      "cve": "CVE-2026-34479",
      "cwe": {
        "id": "CWE-91",
        "name": "XML Injection (aka Blind XPath Injection)"
      },
      "discovery_date": "2026-04-10T16:01:11.900823+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457313"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Apache Log4j 1-to-Log4j 2 bridge. The Log4j1XmlLayout component fails to properly escape characters forbidden by the XML 1.0 standard. This improper handling of characters results in malformed XML output, which can cause downstream log processing systems to drop or fail to index affected records. The primary consequence is a denial of service for log analysis, potentially hindering security monitoring and incident response.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4j 2 bridge: Log processing denial of service due to improper XML escaping",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34479"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457313",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457313"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34479",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34479"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34479",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34479"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/4078",
          "url": "https://github.com/apache/logging-log4j2/pull/4078"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on",
          "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/cyclonedx/vdr.xml",
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html",
          "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/security.html#CVE-2026-34479",
          "url": "https://logging.apache.org/security.html#CVE-2026-34479"
        }
      ],
      "release_date": "2026-04-10T15:41:07.888000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.logging.log4j/log4j-1.2-api: Apache Log4j 1-to-Log4j 2 bridge: Log processing denial of service due to improper XML escaping"
    },
    {
      "cve": "CVE-2026-34480",
      "cwe": {
        "id": "CWE-168",
        "name": "Improper Handling of Inconsistent Special Elements"
      },
      "discovery_date": "2026-04-10T16:02:17.024798+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457328"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Log4j Core. The XmlLayout component, responsible for formatting log messages into XML, does not properly remove or replace characters that are not allowed in XML 1.0. When log messages or diagnostic information contain these forbidden characters, the resulting XML output becomes invalid. This can lead to two main issues: either systems processing these logs will fail to read the affected records, or the logging process itself will stop delivering events, both resulting in a denial of service for logging operations.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw in Apache Log4j Core\u0027s XmlLayout component can lead to a denial of service in logging operations when log messages contain characters forbidden by the XML 1.0 specification. Systems processing these logs may fail to read records or the logging process may cease event delivery, impacting monitoring and auditing capabilities in affected Red Hat products. Red Hat products in their default configurations will be able to automatically recover, but some log messages may be lost.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34480"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457328",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457328"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34480",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34480"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34480",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34480"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/4077",
          "url": "https://github.com/apache/logging-log4j2/pull/4077"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb",
          "url": "https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/cyclonedx/vdr.xml",
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout",
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/security.html#CVE-2026-34480",
          "url": "https://logging.apache.org/security.html#CVE-2026-34480"
        }
      ],
      "release_date": "2026-04-10T15:42:03.843000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging"
    },
    {
      "cve": "CVE-2026-34481",
      "cwe": {
        "id": "CWE-241",
        "name": "Improper Handling of Unexpected Data Type"
      },
      "discovery_date": "2026-04-10T16:01:44.581898+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2457321"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Log4j\u0027s JsonTemplateLayout. This vulnerability allows a remote attacker to disrupt log processing systems. By sending log events that include specific non-numeric floating-point values, the attacker can cause the JsonTemplateLayout to generate invalid JSON output. This invalid output can then lead to downstream systems rejecting or failing to index these logs, effectively causing a denial of service for log analysis.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.logging.log4j: Apache Log4j JsonTemplateLayout: Denial of Service via invalid JSON output",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Exploitation of this flaw requires an application to be configured with JsonTemplateLayout and to log attacker-controlled non-finite floating-point values within a MapMessage, which is not a default or common configuration in Red Hat products.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
          "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-34481"
        },
        {
          "category": "external",
          "summary": "RHBZ#2457321",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457321"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-34481",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-34481"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34481",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34481"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/logging-log4j2/pull/4080",
          "url": "https://github.com/apache/logging-log4j2/pull/4080"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv",
          "url": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/cyclonedx/vdr.xml",
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html",
          "url": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html"
        },
        {
          "category": "external",
          "summary": "https://logging.apache.org/security.html#CVE-2026-34481",
          "url": "https://logging.apache.org/security.html#CVE-2026-34481"
        }
      ],
      "release_date": "2026-04-10T15:43:00.100000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-28T22:46:23+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:21773"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:b26253f0a6c6b9e8c8458ecb07e79e9f87ff313491fffc31e342e32bce0a2b3e_arm64",
            "Red Hat Offline Knowledge Portal 1.2.4:registry.redhat.io/offline-knowledge-portal/rhokp-rhel9@sha256:ec8b14b7a170b689a19cee7820888e81ddc3affc2faada6cc6139644f328bd36_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.logging.log4j: Apache Log4j JsonTemplateLayout: Denial of Service via invalid JSON output"
    }
  ]
}

CVE-2025-11143 (GCVE-0-2025-11143)

Vulnerability from cvelistv5 – Published: 2026-03-05 09:26 – Updated: 2026-03-05 14:48

Summary

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Severity

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-20 - Improper Input Validation

Assigner

eclipse

References

1 reference

URL	Tags
https://github.com/jetty/jetty.project/security/a…

Impacted products

1 product

Vendor	Product	Version
Eclipse Foundation	Eclipse Jetty	Affected: 9.4.0 , ≤ 9.4.58 (semver) Affected: 10.0.0 , ≤ 10.0.26 (semver) Affected: 11.0.0 , ≤ 11.0.26 (semver) Affected: 12.0.0 , ≤ 12.0.30 (semver) Affected: 12.1.0 , ≤ 12.1.4 (semver)

Credits

zer0yu

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11143",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-05T14:48:27.345884Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-05T14:48:41.622Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Eclipse Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "9.4.58",
              "status": "affected",
              "version": "9.4.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.26",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.26",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.0.30",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.1.4",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "zer0yu"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDifferential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAt the very least, differential parsing may divulge implementation details.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs.\u00a0Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response.\u00a0At the very least, differential parsing may divulge implementation details."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T09:26:59.830Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wjpw-4j6x-6rwh"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2025-11143",
    "datePublished": "2026-03-05T09:26:59.830Z",
    "dateReserved": "2025-09-29T05:08:52.530Z",
    "dateUpdated": "2026-03-05T14:48:41.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2332 (GCVE-0-2026-2332)

Vulnerability from cvelistv5 – Published: 2026-04-14 10:59 – Updated: 2026-04-15 03:58

Title

HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Summary

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-444 - Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')

Assigner

eclipse

References

2 references

URL	Tags
https://github.com/jetty/jetty.project/security/a…	third-party-advisory
https://gitlab.eclipse.org/security/cve-assignmen…	issue-tracking

Impacted products

1 product

Vendor	Product	Version
Eclipse Foundation	Eclipse Jetty	Affected: 12.1.0 , ≤ 12.1.6 (semver) Affected: 12.0.0 , ≤ 12.0.32 (semver) Affected: 11.0.0 , ≤ 11.0.27 (semver) Affected: 10.0.0 , ≤ 10.0.27 (semver) Affected: 9.4.0 , ≤ 9.4.59 (semver)

Credits

https://github.com/xclow3n

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2332",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-14T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-15T03:58:12.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "pkg://maven/org.eclipse.jetty/jetty-http",
          "product": "Eclipse Jetty",
          "repo": "https://github.com/jetty/jetty.project",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "12.1.6",
              "status": "affected",
              "version": "12.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "12.0.32",
              "status": "affected",
              "version": "12.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "11.0.27",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.4.59",
              "status": "affected",
              "version": "9.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "https://github.com/xclow3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003cspan\u003ehttps://w4ke.info/2025/06/18/funky-chunks.html\u003c/span\u003e\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\u003cspan\u003ehttps://w4ke.info/2025/10/29/funky-chunks-2.html\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003eJetty terminates chunk extension parsing at\u0026nbsp;\u003ccode\u003e\\r\\n\u003c/code\u003e\u0026nbsp;inside quoted strings instead of treating this as an error.\u003cbr\u003e\u003cbr\u003e\n\u003cpre\u003ePOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\u003c/pre\u003e\n\n\u003cdiv\u003e\u003cbr\u003eNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n  *  https://w4ke.info/2025/06/18/funky-chunks.html\n\n  *  https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at\u00a0\\r\\n\u00a0inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent interpretation of HTTP requests (\u0027HTTP Request/Response smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-14T10:59:10.193Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HTTP Request Smuggling via Chunked Extension Quoted-String Parsing",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-2332",
    "datePublished": "2026-04-14T10:59:10.193Z",
    "dateReserved": "2026-02-11T09:56:25.879Z",
    "dateUpdated": "2026-04-15T03:58:12.322Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34477 (GCVE-0-2026-34477)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:36 – Updated: 2026-04-10 17:38

Title

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Summary

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-297 - Improper Validation of Certificate with Host Mismatch

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4075	patch
https://logging.apache.org/security.html#CVE-2026-34477	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/appen…	related
https://lists.apache.org/thread/lkx8cl46t2bvkcwfc…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.12.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Samuli Leinonen (original reporter) Naresh Kandula (independently) Vitaly Simonovich (independently) Raijuna (independently) Danish Siddiqui (djvirus, independently) Markus Magnuson (independently) Haruki Oyama (Waseda University, independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:36:46.652477Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:38:57.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.12.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen (original reporter)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Naresh Kandula (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Vitaly Simonovich (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Raijuna (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Danish Siddiqui (djvirus, independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Markus Magnuson (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Haruki Oyama (Waseda University, independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe fix for \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/security.html#CVE-2025-68161\"\u003eCVE-2025-68161\u003c/a\u003e was incomplete: it addressed hostname verification only when enabled via the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName\"\u003e\u003ccode\u003elog4j2.sslVerifyHostName\u003c/code\u003e\u003c/a\u003e system property, but not when configured through the \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName\"\u003everifyHostName\u003c/a\u003e\u003c/code\u003e attribute of the \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\u003cp\u003eAlthough the \u003ccode\u003everifyHostName\u003c/code\u003e configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\u003c/p\u003e\u003cp\u003eA network-based attacker may be able to perform a man-in-the-middle attack when \u003cstrong\u003eall\u003c/strong\u003e of the following conditions are met:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn SMTP, Socket, or Syslog appender is in use.\u003c/li\u003e\u003cli\u003eTLS is configured via a nested \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/li\u003e\u003cli\u003eThe attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThis issue does not affect users of the HTTP appender, which uses a separate \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName\"\u003everifyHostname\u003c/a\u003e\u003c/code\u003e attribute that was not subject to this bug and verifies host names by default.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the \u003cSsl\u003e element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested \u003cSsl\u003e element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:36:19.740Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4075"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34477"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-20T19:05:00.000Z",
          "value": "Vulnerability reported by Samuli Leinonen"
        },
        {
          "lang": "en",
          "time": "2025-12-30T22:57:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-02-25T19:35:00.000Z",
          "value": "Independent report received from Naresh Kandula"
        },
        {
          "lang": "en",
          "time": "2026-03-01T23:01:00.000Z",
          "value": "Independent report received from Vitaly Simonovich"
        },
        {
          "lang": "en",
          "time": "2026-03-02T06:31:00.000Z",
          "value": "Independent report received from Raijuna"
        },
        {
          "lang": "en",
          "time": "2026-03-08T18:17:00.000Z",
          "value": "Independent report received from Danish Siddiqui"
        },
        {
          "lang": "en",
          "time": "2026-03-19T09:46:00.000Z",
          "value": "Independent report received from Markus Magnuson"
        },
        {
          "lang": "en",
          "time": "2026-03-21T11:13:00.000Z",
          "value": "Independent report received from Haruki Oyama"
        },
        {
          "lang": "en",
          "time": "2026-03-24T19:46:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4075"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34477",
    "datePublished": "2026-04-10T15:36:19.740Z",
    "dateReserved": "2026-03-28T11:26:04.052Z",
    "dateUpdated": "2026-04-10T17:38:57.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34478 (GCVE-0-2026-34478)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:40 – Updated: 2026-04-10 17:50

Title

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Summary

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-684 - Incorrect Provision of Specified Functionality
CWE-117 - Improper Output Neutralization for Logs

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4074	patch
https://logging.apache.org/security.html#CVE-2026-34478	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/layou…	related
https://lists.apache.org/thread/3k1clr2l6vkdnl4cb…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.21.0 , < 2.25.4 (maven) Affected: 3.0.0-beta1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Samuli Leinonen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:17.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34478",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:48:27.852992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:50:12.484Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.21.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-beta1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout\"\u003eRfc5424Layout\u003c/a\u003e\u003c/code\u003e, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\u003c/p\u003e\u003cp\u003eTwo distinct issues affect users of stream-based syslog services who configure \u003ccode\u003eRfc5424Layout\u003c/code\u003e directly:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe \u003ccode\u003enewLineEscape\u003c/code\u003e attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\u003c/li\u003e\u003cli\u003eThe \u003ccode\u003euseTlsMessageFormat\u003c/code\u003e attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers of the \u003ccode\u003eSyslogAppender\u003c/code\u003e are not affected, as its configuration attributes were not modified.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j Core\u0027s  Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n  *  The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n  *  The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\n\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-684",
              "description": "CWE-684 Incorrect Provision of Specified Functionality",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-117",
              "description": "CWE-117 Improper Output Neutralization for Logs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:40:17.713Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4074"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34478"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-25T12:58:00.000Z",
          "value": "Vulnerability reported by Samuli Leinonen"
        },
        {
          "lang": "en",
          "time": "2026-03-10T16:00:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:41:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4074"
        },
        {
          "lang": "en",
          "time": "2026-03-25T11:02:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34478",
    "datePublished": "2026-04-10T15:40:17.713Z",
    "dateReserved": "2026-03-28T13:17:35.586Z",
    "dateUpdated": "2026-04-10T17:50:12.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34479 (GCVE-0-2026-34479)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:41 – Updated: 2026-04-10 17:47

Title

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4078	patch
https://logging.apache.org/security.html#CVE-2026-34479	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/migrate-from…	related
https://lists.apache.org/thread/gd0hp6mj17rn3kj27…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j 1 to Log4j 2 bridge	Affected: 2.7 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta2 (maven) cpe:2.3:a:apache:log4j_1_2_api::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:18.699Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:45:24.466114Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:47:34.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-1.2-api",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api",
          "product": "Apache Log4j 1 to Log4j 2 bridge",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.7",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta2",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\u003c/p\u003e\u003cp\u003eTwo groups of users are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThose using \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e directly in a Log4j Core 2 configuration file.\u003c/li\u003e\u003cli\u003eThose using the Log4j 1 configuration compatibility layer with \u003ccode\u003eorg.apache.log4j.xml.XMLLayout\u003c/code\u003e specified as the layout class.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\"\u003eLog4j 1 to Log4j 2 migration guide\u003c/a\u003e, and specifically the section on eliminating reliance on the bridge.\u003c/p\u003e"
            }
          ],
          "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:41:07.888Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4078"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34479"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:56:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34479",
    "datePublished": "2026-04-10T15:41:07.888Z",
    "dateReserved": "2026-03-28T14:06:31.965Z",
    "dateUpdated": "2026-04-10T17:47:34.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34480 (GCVE-0-2026-34480)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:42 – Updated: 2026-04-10 17:45

Title

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4077	patch
https://logging.apache.org/security.html#CVE-2026-34480	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/layou…	related
https://lists.apache.org/thread/5x0hcnng0chhghp6j…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.0-alpha1 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:19.775Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34480",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:43:51.255638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:45:07.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.0-alpha1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout\"\u003eXmlLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.w3.org/TR/xml/#charsets\"\u003eXML 1.0 specification\u003c/a\u003e producing invalid XML output whenever a log message or MDC value contains such characters.\u003c/p\u003e\u003cp\u003eThe impact depends on the StAX implementation in use:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eJRE built-in StAX:\u003c/strong\u003e Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAlternative StAX implementations\u003c/strong\u003e (e.g., \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/FasterXML/woodstox\"\u003eWoodstox\u003c/a\u003e, a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core \u003ccode\u003e2.25.4\u003c/code\u003e, which corrects this issue by sanitizing forbidden characters before XML output.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j Core\u0027s  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:42:03.843Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4077"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34480"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:15:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:52:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4077"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34480",
    "datePublished": "2026-04-10T15:42:03.843Z",
    "dateReserved": "2026-03-28T15:29:27.095Z",
    "dateUpdated": "2026-04-10T17:45:07.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34481 (GCVE-0-2026-34481)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:43 – Updated: 2026-04-10 17:41

Title

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Summary

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4080	patch
https://logging.apache.org/security.html#CVE-2026-34481	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/json-…	related
https://lists.apache.org/thread/n34zdv00gbkdbzt2r…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j JSON Template Layout	Affected: 2.14.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j_layout_template_json::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:20.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34481",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:41:23.224802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:41:38.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-layout-template-json",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-layout-template-json",
          "product": "Apache Log4j JSON Template Layout",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/json-template-layout.html\"\u003eJsonTemplateLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (\u003ccode\u003eNaN\u003c/code\u003e, \u003ccode\u003eInfinity\u003c/code\u003e, or \u003ccode\u003e-Infinity\u003c/code\u003e), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\u003c/p\u003e\u003cp\u003eAn attacker can exploit this issue only if both of the following conditions are met:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe application uses \u003ccode\u003eJsonTemplateLayout\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe application logs a \u003ccode\u003eMapMessage\u003c/code\u003e containing an attacker-controlled floating-point value.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j\u0027s  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses JsonTemplateLayout.\n  *  The application logs a MapMessage containing an attacker-controlled floating-point value.\n\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:43:00.100Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4080"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34481"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T18:14:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:42:00.000Z",
          "value": "Candidate patch internally shared by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-24T23:06:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4080"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:54:00.000Z",
          "value": "Fix verified by the reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34481",
    "datePublished": "2026-04-10T15:43:00.100Z",
    "dateReserved": "2026-03-28T19:23:37.127Z",
    "dateUpdated": "2026-04-10T17:41:38.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:21773

CVE-2025-11143 (GCVE-0-2025-11143)

CVE-2026-2332 (GCVE-0-2026-2332)

CVE-2026-34477 (GCVE-0-2026-34477)

CVE-2026-34478 (GCVE-0-2026-34478)

CVE-2026-34479 (GCVE-0-2026-34479)

CVE-2026-34480 (GCVE-0-2026-34480)

CVE-2026-34481 (GCVE-0-2026-34481)

Tags

Sightings

Nomenclature