This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/logging-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 4fa2516d Automatic Site Publish by Buildbot
4fa2516d is described below
commit 4fa2516d34e052e2a4e633402e4e05e8a4460a6b
Author: buildbot <us...@infra.apache.org>
AuthorDate: Fri Aug 22 18:10:37 2025 +0000
Automatic Site Publish by Buildbot
---
content/cyclonedx/vdr.xml | 116 ++++++++++++++++++++++++++++++-
content/feed.xml | 2 +-
content/security.html | 169 +++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 282 insertions(+), 5 deletions(-)
diff --git a/content/cyclonedx/vdr.xml b/content/cyclonedx/vdr.xml
index 110dc499..f9d382b1 100644
--- a/content/cyclonedx/vdr.xml
+++ b/content/cyclonedx/vdr.xml
@@ -40,11 +40,11 @@
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://cyclonedx.org/schema/bom/1.6";
xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
- version="3"
+ version="4"
serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06">
<metadata>
- <timestamp>2025-08-17T11:18:06Z</timestamp>
+ <timestamp>2025-08-22T07:31:10Z</timestamp>
<manufacturer>
<name>Apache Logging Services</name>
<url>https://logging.apache.org</url>
@@ -54,6 +54,9 @@
<!-- We add *dummy* components to refer to in `affects` blocks.
This is necessary, since not all Log4j components have SBOMs associated
with them. -->
<components>
+ <component type="library" bom-ref="log4cxx">
+ <name>Apache Log4cxx</name>
+ </component>
<component type="library"
bom-ref="pkg:maven/org.apache.logging.log4j/log4j-core?type=jar">
<group>org.apache.logging.log4j</group>
<name>log4j-core</name>
@@ -64,6 +67,115 @@
<vulnerabilities>
+ <vulnerability>
+ <id>CVE-2025-54813</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2025-54813</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>NVD</name>
+ <url>
+
https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
+ </url>
+ </source>
+ <score>6.3</score>
+ <severity>medium</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>117</cwe>
+ </cwes>
+ <description><![CDATA[When using `JSONLayout`, not all payload bytes are
properly escaped.
+If an attacker-supplied message contains certain non-printable characters,
these will be passed along in the message and written out as part of the JSON
message.
+This may prevent applications that consume these logs from correctly
interpreting the information within them.]]></description>
+ <recommendation>
+ <![CDATA[Users are recommended to upgrade to version `1.5.0`, which
fixes the issue.]]></recommendation>
+ <created>2025-08-22T07:31:10Z</created>
+ <published>2025-08-22T07:31:10Z</published>
+ <updated>2025-08-22T07:31:10Z</updated>
+ <credits>
+ <organizations>
+ <organization>
+ <name>Sovereign Tech Agency</name>
+ <url>https://www.sovereign.tech/</url>
+ </organization>
+ </organizations>
+ </credits>
+ <affects>
+ <target>
+ <ref>logcxx</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver>=0.11.0|<1.5.0]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
+ <vulnerability>
+ <id>CVE-2025-54812</id>
+ <source>
+ <name>NVD</name>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2025-54812</url>
+ </source>
+ <ratings>
+ <rating>
+ <source>
+ <name>NVD</name>
+ <url>
+
https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator?vector=AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
+ </url>
+ </source>
+ <score>2.1</score>
+ <severity>low</severity>
+ <method>CVSSv4</method>
+
<vector>AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N</vector>
+ </rating>
+ </ratings>
+ <cwes>
+ <cwe>117</cwe>
+ </cwes>
+ <description><![CDATA[When using `HTMLLayout`, logger names are not
properly escaped when writing out to the HTML file.
+If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or Javascript in order to hide information from logs
or steal data from the user.
+In order to activate this, the following sequence must occur:
+
+* Log4cxx is configured to use `HTMLLayout`.
+* Logger name comes from an untrusted string.
+* Logger with compromised name logs a message.
+* User opens the generated HTML log file in their browser, leading to
potential XSS.
+
+Because logger names are generally constant strings, we assess the impact to
users as LOW.]]></description>
+ <recommendation>
+ <![CDATA[Users are recommended to upgrade to version `1.5.0`, which
fixes the issue.]]></recommendation>
+ <created>2025-08-22T07:31:10Z</created>
+ <published>2025-08-22T07:31:10Z</published>
+ <updated>2025-08-22T07:31:10Z</updated>
+ <credits>
+ <organizations>
+ <organization>
+ <name>Sovereign Tech Agency</name>
+ <url>https://www.sovereign.tech/</url>
+ </organization>
+ </organizations>
+ </credits>
+ <affects>
+ <target>
+ <ref>logcxx</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:semver<1.5.0]]></range>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+
<vulnerability>
<id>CVE-2021-44832</id>
<source>
diff --git a/content/feed.xml b/content/feed.xml
index 926e715b..7b300403 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2025-08-22T06:47:02+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
+<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.4.1">Jekyll</generator><link href="/feed.xml" rel="self"
type="application/atom+xml" /><link href="/" rel="alternate" type="text/html"
/><updated>2025-08-22T18:10:36+00:00</updated><id>/feed.xml</id><title
type="html">Apache Software Foundation - Logging
Services</title><subtitle>Write an awesome description for your new site here.
You can edit this line in _ [...]
<p>A <strong>Vulnerability Exploitability eXchange (VEX)</strong> is a
machine-readable file used to indicate whether vulnerabilities in an
application’s third-party dependencies are actually exploitable.</p>
diff --git a/content/security.html b/content/security.html
index af4eabe4..9ce7f2fe 100644
--- a/content/security.html
+++ b/content/security.html
@@ -429,14 +429,179 @@ We choose to pool all information on this one page,
allowing easy searching for
</td>
<td class="content">
<div class="paragraph">
-<p>We adhere to <a
href="https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html";>the
Maven version range syntax</a> while sharing versions of affected components.
-We only extend this mathematical notation with set union operator (i.e.,
<code>∪</code>) to denote union of multiple ranges.</p>
+<p>Version ranges follow the <a
href="https://github.com/package-url/vers-spec/blob/main/VERSION-RANGE-SPEC.rst";>VERS
specification</a>:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Log4cxx: <code>semver</code> scheme</p>
+</li>
+<li>
+<p>Log4j: <code>maven</code> scheme</p>
+</li>
+<li>
+<p>Log4net: <code>nuget</code> scheme</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>For brevity, mathematical interval notation is used, with the union
operator (<code>∪</code>) to represent multiple ranges.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="sect2">
+<h3 id="CVE-2025-54813"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-54812";>CVE-2025-54813</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
escaping with JSONLayout</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">6.3 MEDIUM
(CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Apache
Log4cxx</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>[0.11.0, 1.5.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>1.5.0</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2025-54813-description">Description</h4>
+<div class="paragraph">
+<p>When using <code>JSONLayout</code>, not all payload bytes are properly
escaped.
+If an attacker-supplied message contains certain non-printable characters,
these will be passed along in the message and written out as part of the JSON
message.
+This may prevent applications that consume these logs from correctly
interpreting the information within them.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54813-remediation">Remediation</h4>
+<div class="paragraph">
+<p>Users are recommended to upgrade to version <code>1.5.0</code>, which fixes
the issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54813-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered and remediated with support from the Sovereign
Tech Agency, through the <a
href="https://yeswehack.com/programs/log4j-bug-bounty-program";>Apache Log4j Bug
Bounty Program on YesWeHack</a>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54813-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-54813";>CVE-2025-54813</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4cxx/pull/512";>Pull request
that fixes the issue</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="CVE-2025-54812"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-54812";>CVE-2025-54812</a></h3>
+<table class="tableblock frame-all grid-all stretch">
+<colgroup>
+<col style="width: 16.6666%;">
+<col style="width: 83.3334%;">
+</colgroup>
+<tbody>
+<tr>
+<th class="tableblock halign-left valign-top"><p
class="tableblock">Summary</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Improper
HTML escaping in HTMLLayout</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">CVSS 4.x
Score & Vector</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">2.1 LOW
(CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Components
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Apache
Log4cxx</p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
affected</p></th>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>[0,
1.5.0)</code></p></td>
+</tr>
+<tr>
+<th class="tableblock halign-left valign-top"><p class="tableblock">Versions
fixed</p></th>
+<td class="tableblock halign-left valign-top"><p
class="tableblock"><code>1.5.0</code></p></td>
+</tr>
+</tbody>
+</table>
+<div class="sect3">
+<h4 id="CVE-2025-54812-description">Description</h4>
+<div class="paragraph">
+<p>When using <code>HTMLLayout</code>, logger names are not properly escaped
when writing out to the HTML file.
+If untrusted data is used to retrieve the name of a logger, an attacker could
theoretically inject HTML or Javascript in order to hide information from logs
or steal data from the user.
+In order to activate this, the following sequence must occur:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Log4cxx is configured to use <code>HTMLLayout</code>.</p>
+</li>
+<li>
+<p>Logger name comes from an untrusted string.</p>
+</li>
+<li>
+<p>Logger with compromised name logs a message.</p>
+</li>
+<li>
+<p>User opens the generated HTML log file in their browser, leading to
potential XSS.</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Because logger names are generally constant strings, we assess the impact
to users as LOW.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54812-remediation">Remediation</h4>
+<div class="paragraph">
+<p>Users are recommended to upgrade to version <code>1.5.0</code>, which fixes
the issue.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54812-credits">Credits</h4>
+<div class="paragraph">
+<p>This issue was discovered and remediated with support from the Sovereign
Tech Agency, through the <a
href="https://yeswehack.com/programs/log4j-bug-bounty-program";>Apache Log4j Bug
Bounty Program on YesWeHack</a>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="CVE-2025-54812-references">References</h4>
+<div class="ulist">
+<ul>
+<li>
+<p><a
href="https://nvd.nist.gov/vuln/detail/CVE-2025-54812";>CVE-2025-54812</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4cxx/pull/509";>Pull request
#509</a></p>
+</li>
+<li>
+<p><a href="https://github.com/apache/logging-log4cxx/pull/514";>Pull request
#514</a></p>
+</li>
+</ul>
+</div>
+</div>
+</div>
+<div class="sect2">
<h3 id="CVE-2021-44832"><a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a></h3>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
