This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch fix/new-cves in repository https://gitbox.apache.org/repos/asf/logging-site.git
commit 9b9866443c5699f2801d9ee6fd4aeaa3de2c007c Author: Piotr P. Karwasz <[email protected]> AuthorDate: Fri Apr 10 14:51:43 2026 +0200 Add details for CVE-2026-40021 --- .../modules/ROOT/pages/_vulnerabilities.adoc | 41 ++++++++++++++++ src/site/static/cyclonedx/vdr.xml | 55 ++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc index 7f24d36f..69ffdcbe 100644 --- a/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc +++ b/src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc @@ -29,6 +29,47 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-40021] +== {cve-url-prefix}/CVE-2026-40021[CVE-2026-40021] + +[cols="1h,5"] +|=== +|Summary |Silent log event loss in `XmlLayout` and `XmlLayoutSchemaLog4J` due to unescaped XML 1.0 forbidden characters +|CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) +|Components affected |Log4net +|Versions affected |`[0, 3.3.0)` +|Versions fixed |`3.3.0` +|=== + +[#CVE-2026-40021-description] +=== Description + +Apache Log4net's +https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayout`] +and +https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayoutSchemaLog4J`], +in versions before 3.3.0, fail to sanitize characters forbidden by the +https://www.w3.org/TR/xml/#charsets[XML 1.0 specification] +in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. +This causes an exception during serialization and the silent loss of the affected log event. + +An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. + +[#CVE-2026-40021-remediation] +=== Remediation + +Users are advised to upgrade to Apache Log4net version `3.3.0`, which fixes this issue. + +[#CVE-2026-40021-credits] +=== Credits + +This issue was discovered by f00dat. + +[#CVE-2026-40021-references] +=== References +* {cve-url-prefix}/CVE-2026-40021[CVE-2026-40021] +* https://github.com/apache/logging-log4net/pull/280[Pull request that fixes the issue] + [#CVE-2026-34481] == {cve-url-prefix}/CVE-2026-34481[CVE-2026-34481] diff --git a/src/site/static/cyclonedx/vdr.xml b/src/site/static/cyclonedx/vdr.xml index dfa85701..ae0f4bb4 100644 --- a/src/site/static/cyclonedx/vdr.xml +++ b/src/site/static/cyclonedx/vdr.xml @@ -89,6 +89,61 @@ <vulnerabilities> + <vulnerability> + <id>CVE-2026-40021</id> + <source> + <name>NVD</name> + <url>https://nvd.nist.gov/vuln/detail/CVE-2026-40021</url> + </source> + <ratings> + <rating> + <source> + <name>The Apache Software Foundation</name> + <url> + <![CDATA[https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N]]></url> + </source> + <score>6.3</score> + <severity>medium</severity> + <method>CVSSv4</method> + <vector>AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N</vector> + </rating> + </ratings> + <cwes> + <cwe>116</cwe> + </cwes> + <description><![CDATA[Apache Log4net's +https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayout`] +and +https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list[`XmlLayoutSchemaLog4J`], +in versions before 3.3.0, fail to sanitize characters forbidden by the +https://www.w3.org/TR/xml/#charsets[XML 1.0 specification] +in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. +This causes an exception during serialization and the silent loss of the affected log event. + +An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.]]></description> + <recommendation><![CDATA[Users are advised to upgrade to Apache Log4net version `3.3.0`, which fixes this issue.]]></recommendation> + <created>2026-04-10T11:53:17Z</created> + <published>2026-04-10T11:53:17Z</published> + <updated>2026-04-10T11:53:17Z</updated> + <credits> + <individuals> + <individual> + <name>f00dat</name> + </individual> + </individuals> + </credits> + <affects> + <target> + <ref>log4net</ref> + <versions> + <version> + <range><![CDATA[vers:nuget/>=0|<3.3.0]]></range> + </version> + </versions> + </target> + </affects> + </vulnerability> + <vulnerability> <id>CVE-2026-34481</id> <source>
