CVE-2006-3835 Affecting log4j package, versions <0:1.2.12-1jpp_1rh


Severity

Recommended
low

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
51.86% (98th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL10-LOG4J-9845379
  • published28 Apr 2025
  • disclosed21 Jul 2006

Introduced: 21 Jul 2006

CVE-2006-3835  (opens in a new tab)

How to fix?

Upgrade RHEL:10 log4j to version 0:1.2.12-1jpp_1rh or higher.
This issue was patched in RHSA-2010:0602.

NVD Description

Note: Versions mentioned in the description apply only to the upstream log4j package and not the log4j package as distributed by RHEL. See How to fix? for RHEL:10 relevant fixed versions and status.

Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.

References

CVSS Base Scores

version 3.1