CVE-2020-9488

LOW

Apache Log4j 2.0-2.12.2, 2.13.0 - Improper Certificate Validation in SMTP Appender

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9488. PoCs published by arsalanraja987.

AI-analyzed exploit summary This repository demonstrates CVE-2020-9488, a log injection vulnerability in Log4j, by providing vulnerable and safe Java code examples. It includes a script to automatically fix the vulnerability by sanitizing user input before logging.

Description

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Exploits (1)

nomisec WRITEUP
by arsalanraja987 · poc
https://github.com/arsalanraja987/java-log4j-cve-2020-9488

This repository demonstrates CVE-2020-9488, a log injection vulnerability in Log4j, by providing vulnerable and safe Java code examples. It includes a script to automatically fix the vulnerability by sanitizing user input before logging.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Log4j (versions affected by CVE-2020-9488)
No auth needed
Prerequisites: Java environment · Log4j library · User input that can be logged
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (49)

Core 49
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Issue Tracking, Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/LOG4J2-2819
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200504-0003/
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-5020
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/12/msg00017.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 3.7
EPSS 0.0808
EPSS Percentile 94.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-295
Status published
Products (50)
Apache/Apache Log4j log4j-core - 2.12.3
Apache/Apache Log4j log4j-core 2.13.0
apache/log4j 2.0 - 2.3.2
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
oracle/communications_application_session_controller 3.9m0p1
oracle/communications_billing_and_revenue_management 7.5.0.23.0
oracle/communications_billing_and_revenue_management 12.0.0.3.0
oracle/communications_eagle_ftp_table_base_retrieval 4.5
... and 40 more
Published Apr 27, 2020
Tracked Since Feb 18, 2026