E20-7slf1
CVSS:
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
1
Year:
2019
Description
An untrusted deserialization vulnerability exists in Apache Log4j versions 1.2 up to 1.2.17.
The vulnerability is due to the lack of class filtering in the SocketServer and SocketNode classes.
By sending a crafted serialized Java object, a remote unauthenticated attacker may execute arbitrary code on the target system.