GitHub user ramanathan1504 added a comment to the discussion: Threat model: how should Thread Context (MDC) keys be classified (trusted structural or untrusted content)?
That is a very precise distinction. If we classify keys as untrusted, an escaping bug is a CVE; if trusted, it's just a normal formatting bug. Classifying them as untrusted seems safer, as security teams and SIEM parsers will treat key-based JSON corruption as a vulnerability in the wild regardless. GitHub link: https://github.com/apache/logging-log4j2/discussions/4132#discussioncomment-17155532 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
