CVE-2020-9488

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
27/04/2020
Last modified:
07/11/2023

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* 2.0 (including) 2.3.2 (excluding)
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* 2.4 (including) 2.12.3 (excluding)
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* 2.13.0 (including) 2.13.2 (excluding)
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* 8.0.6.0.0 (including) 8.1.0.0.0 (including)


References to Advisories, Solutions, and Tools