CVE-2026-34479

Data: 2026-04-15

Severity: Medium

CVSS Score: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)

Riferimenti:

• https://nvd.nist.gov/vuln/detail/CVE-2026-34479

• https://ossindex.sonatype.org/vulnerability/CVE-2026-34479

• https://github.com/advisories/GHSA-h383-gmxw-35v2

Libreria: org.apache.logging.log4j:log4j-1.2-api <= 2.25.3

Descrizione

[CVE-2026-34479] CWE-116: Improper Encoding or Escaping of Output

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

GovWay

Versione affette:

• 3.3.x: <= 3.3.19.p1

• 3.4.x: <= 3.4.2.p1

Risoluzione:

• 3.3.x: 3.3.20

• 3.4.x: 3.4.3