CVE-2018-1285 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-1285 Interim 1 16 2024-07-27T00:39:41Z current 2021-05-30T14:07:02Z 2024-07-27T00:39:41Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-1285 Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP1 for Teradata SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 LTSS openSUSE Tumbleweed log4net log4net-1.2.10-3.3.1 log4net-1.2.10-78.1 log4net-1.2.10-3.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA log4net-1.2.10-78.1 as a component of openSUSE Tumbleweed log4net as a component of SUSE Linux Enterprise Server 11 SP1 for Teradata log4net as a component of SUSE Linux Enterprise Server 11 SP4 LTSS Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. CVE-2018-1285 SUSE Linux Enterprise Server 11 SP3-TERADATA:log4net-1.2.10-3.3.1 openSUSE Tumbleweed:log4net-1.2.10-78.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L