This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit dddf1b922ef9d5bcd67a09e2a3adeb54811ad35b Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Aug 22 09:41:33 2025 +0200 docs: add CVE-2025-54812 details Document the improper escaping of special elements in `HTMLLayout` in Apache Log4cxx. --- _vulnerabilities.adoc | 49 ++++++++++++++++++++++++++++++++++++-- cyclonedx/vdr.xml | 65 +++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 110 insertions(+), 4 deletions(-) diff --git a/_vulnerabilities.adoc b/_vulnerabilities.adoc index 9a861e10..fc8f4cad 100644 --- a/_vulnerabilities.adoc +++ b/_vulnerabilities.adoc @@ -20,10 +20,55 @@ We choose to pool all information on this one page, allowing easy searching for [NOTE] ==== -We adhere to https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html[the Maven version range syntax] while sharing versions of affected components. -We only extend this mathematical notation with set union operator (i.e., `∪`) to denote union of multiple ranges. +Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VERSION-RANGE-SPEC.rst[VERS specification]: + +* Log4cxx: `semver` scheme +* Log4j: `maven` scheme +* Log4net: `nuget` scheme + +For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2025-54812] +== {cve-url-prefix}/CVE-2025-54812[CVE-2025-54812] + +[cols="1h,5"] +|=== +|Summary |Improper HTML escaping in HTMLLayout +|CVSS 4.x Score & Vector |2.1 LOW (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) +|Components affected |Apache Log4cxx +|Versions affected |`[0, 1.5.0)` +|Versions fixed |`1.5.0` +|=== + +[#CVE-2025-54812-description] +=== Description + +When using `HTMLLayout`, logger names are not properly escaped when writing out to the HTML file. +If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. +In order to activate this, the following sequence must occur: + +* Log4cxx is configured to use `HTMLLayout`. +* Logger name comes from an untrusted string. +* Logger with compromised name logs a message. +* User opens the generated HTML log file in their browser, leading to potential XSS. + +Because logger names are generally constant strings, we assess the impact to users as LOW. + +[#CVE-2025-54812-remediation] +=== Remediation +Users are recommended to upgrade to version `1.5.0`, which fixes the issue. + +[#CVE-2025-54812-credits] +=== Credits +This issue was discovered and remediated with support from the Sovereign Tech Agency, through the https://yeswehack.com/programs/log4j-bug-bounty-program[Apache Log4j Bug Bounty Program on YesWeHack]. + +[#CVE-2025-54812-references] +=== References +* {cve-url-prefix}/CVE-2025-54812[CVE-2025-54812] +* https://github.com/apache/logging-log4cxx/pull/509[Pull request #509] +* https://github.com/apache/logging-log4cxx/pull/514[Pull request #514] + [#CVE-2021-44832] == {cve-url-prefix}/CVE-2021-44832[CVE-2021-44832] diff --git a/cyclonedx/vdr.xml b/cyclonedx/vdr.xml index 110dc499..78d9f196 100644 --- a/cyclonedx/vdr.xml +++ b/cyclonedx/vdr.xml @@ -40,11 +40,11 @@ <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://cyclonedx.org/schema/bom/1.6"; xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"; - version="3" + version="4" serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06"> <metadata> - <timestamp>2025-08-17T11:18:06Z</timestamp> + <timestamp>2025-08-22T07:31:10Z</timestamp> <manufacturer> <name>Apache Logging Services</name> <url>https://logging.apache.org</url> @@ -54,6 +54,9 @@ <!-- We add *dummy* components to refer to in `affects` blocks. This is necessary, since not all Log4j components have SBOMs associated with them. --> <components> + <component type="library" bom-ref="log4cxx"> + <name>Apache Log4cxx</name> + </component> <component type="library" bom-ref="pkg:maven/org.apache.logging.log4j/log4j-core?type=jar"> <group>org.apache.logging.log4j</group> <name>log4j-core</name> @@ -64,6 +67,64 @@ <vulnerabilities> + <vulnerability> + <id>CVE-2025-54812</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-54812</url> + </source> + <ratings> + <rating> + <source> + <name>NVD</name> + <url> + https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N + </url> + </source> + <score>2.1</score> + <severity>low</severity> + <method>CVSSv4</method> + <vector>AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N</vector> + </rating> + </ratings> + <cwes> + <cwe>117</cwe> + </cwes> + <description><![CDATA[When using `HTMLLayout`, logger names are not properly escaped when writing out to the HTML file. +If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. +In order to activate this, the following sequence must occur: + +* Log4cxx is configured to use `HTMLLayout`. +* Logger name comes from an untrusted string. +* Logger with compromised name logs a message. +* User opens the generated HTML log file in their browser, leading to potential XSS. + +Because logger names are generally constant strings, we assess the impact to users as LOW.]]></description> + <recommendation> + <![CDATA[Users are recommended to upgrade to version `1.5.0`, which fixes the issue.]]></recommendation> + <created>2025-08-22T07:31:10Z</created> + <published>2025-08-22T07:31:10Z</published> + <updated>2025-08-22T07:31:10Z</updated> + <credits> + <organizations> + <organization> + <name>Sovereign Tech Agency</name> + <url>https://www.sovereign.tech/</url> + </organization> + </organizations> + </credits> + <affects> + <target> + <ref>logcxx</ref> + <versions> + <version> + <range><![CDATA[vers:semver<1.5.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + <vulnerability> <id>CVE-2021-44832</id> <source>
