SQL Injection Affecting log4cxx package, versions [0.12.0,1.1.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.5% (66th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CONAN-LOG4CXX-10077596
  • published8 May 2025
  • disclosed8 May 2023
  • creditUnknown

Introduced: 8 May 2023

CVE-2023-31038  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade log4cxx to version 1.1.0 or higher.

Overview

Affected versions of this package are vulnerable to SQL Injection when using the ODBC appender to send log messages to a database. Exploiting this vulnerability is possible due to improper escape of user input.   Note: The following preconditions must be met for this vulnerability to be exploitable:

  1. Log4cxx compiled with ODBC support(before version 1.1.0, this was auto-detected at compile time)

  2. ODBCAppender enabled for logging messages to, generally done via a config file

  3. User input is logged at some point.

If your application does not have user input, it is unlikely to be affected.

References

CVSS Base Scores

version 3.1