Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Log4j | Apache | 2.0 (including) | 2.3.2 (excluding) |
Log4j | Apache | 2.4 (including) | 2.12.3 (excluding) |
Log4j | Apache | 2.13.0 (including) | 2.13.2 (excluding) |