CVE-2021-44832

medium Apache
CVSS v3 Base Score
6.6
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
53.6%
Exploitation probability in 30 days
Top 2% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: December 28, 2021 (1655 days ago)
Last Modified: May 29, 2026
Vendor: Apache
Source: NVD

Description

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

CWE

CWE-20

Affected Products

apache log4joracle communications diameter signaling routeroracle communications interactive session recorderoracle primavera gatewayoracle primavera p6 enterprise project portfolio managementoracle primavera unifieroracle retail assortment planningoracle retail fiscal managementoracle siebel ui frameworkoracle weblogic server

References