CVE-2020-9488

LOW

Oracle Flexcube Core Banking < 2.3.2 - Improper Certificate Validation

Title source: rule

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Exploits (1)

nomisec WRITEUP

by arsalanraja987 · poc

https://github.com/arsalanraja987/java-log4j-cve-2020-9488

View Code ZIP pw:eip

References (49)

[Issue Tracking, Mitigation, Patch, Vendor Advisory] https://issues.apache.org/jira/browse/LOG4J2-2819

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200504-0003/

[Third Party Advisory] https://www.debian.org/security/2021/dsa-5020

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2021.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List] https://lists.apache.org/thread.html/r0a2699f724156a558afd1abb6c044fb9132caa66dce861b82699722a%40%3Cjira.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0df3d7a5acb98c57e64ab9266aa21eeee1d9b399addb96f9cf1cbe05%40%3Cdev.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1fc73f0e16ec2fa249d3ad39a5194afb9cc5afb4c023dc0bab5a5881%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r22a56beb76dd8cf18e24fda9072f1e05990f49d6439662d3782a392f%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2f209d271349bafd91537a558a279c08ebcff8fa3e547357d58833e6%40%3Cdev.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r33864a0fc171c1c4bf680645ebb6d4f8057899ab294a43e1e4fe9d04%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r393943de452406f0f6f4b3def9f8d3c071f96323c1f6ed1a098f7fe4%40%3Ctorque-dev.db.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r3d1d00441c55144a4013adda74b051ae7864128ebcfb6ee9721a2eb3%40%3Cissues.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r4285398e5585a0456d3d9db021a4fce6e6fcf3ec027dfa13a450ec98%40%3Cissues.zookeeper.apache.org%3E

... and 29 more

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-295

Status published

Products (50)

apache/log4j 2.0 - 2.3.2

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

oracle/communications_application_session_controller 3.9m0p1

oracle/communications_billing_and_revenue_management 7.5.0.23.0

oracle/communications_billing_and_revenue_management 12.0.0.3.0

oracle/communications_eagle_ftp_table_base_retrieval 4.5

oracle/communications_offline_mediation_controller 12.0.0.3.0

oracle/communications_services_gatekeeper 7.0

... and 40 more

Published Apr 27, 2020

Tracked Since Feb 18, 2026