{"id":"CVE-2021-45105","details":"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.","aliases":["GHSA-p6xc-xr62-6r2g"],"modified":"2026-04-16T00:02:14.835085029Z","published":"2021-12-18T12:15:07.433Z","related":["openSUSE-SU-2021:1605-1","openSUSE-SU-2021:4118-1","openSUSE-SU-2024:11691-1"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"type":"WEB","url":"https://www.kb.cert.org/vuls/id/930724"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"type":"ADVISORY","url":"https://logging.apache.org/log4j/2.x/security.html"},{"type":"ADVISORY","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211218-0001/"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-5024"},{"type":"ADVISORY","url":"https://www.kb.cert.org/vuls/id/930724"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aaugustin/websockets","events":[{"introduced":"d03ba5669bd386f8e873a620ff6a5a6926b340b4"},{"fixed":"7d7cac390637021ab9944dc7028a7b2e8f84983f"}]}],"versions":["2.0","2.1","2.2","2.3","2.4","2.5","2.6","2.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45105.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"0"},{"fixed":"883fe0e8317a89c46b49465bac2dcd07166e714c"}]}],"versions":["PRE-MERGE-20120719-1138","jetty-7.4.4.v20110707","jetty-7.5.0.RC0","jetty-7.5.0.RC1","jetty-7.5.0.RC2","jetty-7.5.0.v20110901","jetty-7.5.1.v20110907","jetty-7.5.1.v20110908","jetty-7.5.2.v20111006","jetty-7.5.3.v20111011","jetty-7.5.4.v20111024","jetty-7.6.0.RC0","jetty-7.6.0.RC1","jetty-7.6.0.RC2","jetty-7.6.0.RC3","jetty-7.6.0.RC4","jetty-7.6.0.RC5","jetty-7.6.0.v20120125","jetty-7.6.0.v20120127","jetty-7.6.1.v20120215","jetty-7.6.10.v20130312","jetty-7.6.11.v20130520","jetty-7.6.11.v20130725","jetty-7.6.12.v20130726","jetty-7.6.13.v20130910","jetty-7.6.2.v20120302","jetty-7.6.2.v20120308","jetty-7.6.3.v20120413","jetty-7.6.3.v20120416","jetty-7.6.4.v20120522","jetty-7.6.4.v20120524","jetty-7.6.5.v20120713","jetty-7.6.5.v20120716","jetty-7.6.6.v20120903","jetty-7.6.7.v20120910","jetty-7.6.8.v20121106","jetty-7.6.9.v20130131","jetty-8.0.0.RC0","jetty-8.0.0.v20110901","jetty-8.0.1.v20110907","jetty-8.0.1.v20110908","jetty-8.0.2.v20111006","jetty-8.0.3.v20111011","jetty-8.0.4.v20111024","jetty-8.1.0.RC0","jetty-8.1.0.RC1","jetty-8.1.0.RC2","jetty-8.1.0.RC4","jetty-8.1.0.RC5","jetty-8.1.0.v20120125","jetty-8.1.0.v20120127","jetty-8.1.1.v20120215","jetty-8.1.10.v20130312","jetty-8.1.11.v20130520","jetty-8.1.12.v20130725","jetty-8.1.12.v20130726","jetty-8.1.13.v20130910","jetty-8.1.13.v20130916","jetty-8.1.2.v20120302","jetty-8.1.2.v20120308","jetty-8.1.3.v20120413","jetty-8.1.3.v20120416","jetty-8.1.4.v20120522","jetty-8.1.4.v20120524","jetty-8.1.5.v20120713","jetty-8.1.5.v20120716","jetty-8.1.6.v20120903","jetty-8.1.7.v20120910","jetty-8.1.8.v20121106","jetty-8.1.9.v20130131","jetty-9.0.0.M0","jetty-9.0.0.M1","jetty-9.0.0.M2","jetty-9.0.0.M3","jetty-9.0.0.M4","jetty-9.0.0.M5","jetty-9.0.0.RC0","jetty-9.0.0.RC1","jetty-9.0.0.RC2","jetty-9.0.0.RC3","jetty-9.0.0.v20130308","jetty-9.0.1.v20130408","jetty-9.0.2.v20130417","jetty-9.0.2.v20140415","jetty-9.0.3.v20130506","jetty-9.0.4.v20130621","jetty-9.0.4.v20130625","jetty-9.0.5.v20130813","jetty-9.0.5.v20130815","jetty-9.0.6.v20130919","jetty-9.0.6.v20130930","npn-api-1.0.0.v20120402","npn-api-1.1.0.v20120525"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45105.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"ff139a8a44d079a8261292044c82f128343fea09"},{"fixed":"6a66a68fe6132418ad6aba5162871f0dcd3651ad"}]}],"versions":["v2.0","v2.1","v2.1a1","v2.1a2","v2.1b1","v2.1b2","v2.1c1","v2.1c2","v2.2a3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45105.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}