{"id":"CVE-2021-45105","details":"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.","aliases":["GHSA-p6xc-xr62-6r2g"],"modified":"2026-04-16T04:34:40.059792237Z","published":"2021-12-18T12:15:07.433Z","related":["openSUSE-SU-2021:1605-1","openSUSE-SU-2021:4118-1","openSUSE-SU-2024:11691-1"],"references":[{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/12/19/1"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-501673.pdf"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-5024"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-1541/"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"},{"type":"ADVISORY","url":"https://logging.apache.org/log4j/2.x/security.html"},{"type":"ADVISORY","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211218-0001/"},{"type":"ADVISORY","url":"https://www.kb.cert.org/vuls/id/930724"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/logging-log4j2","events":[{"introduced":"8d9204a4b4c6016fa6b36513a46502689d6a45c1"},{"fixed":"38513a7d57343881f7bf58f37e67d6a87e0a47c5"},{"introduced":"383a8194acab4a740d22b69c023ca3af6cb9c664"},{"fixed":"2b9359b2373d773c5db7427d6dab369ba1852d3f"},{"introduced":"9dcb1823a0a0192f2016daf7c1445ddfb3435fbf"},{"last_affected":"cffe58f6a433ea1ab60ceb129d4c9b3377acda1d"},{"introduced":"0"},{"last_affected":"da539329d528d979f4dd385a6ebb639793ef37bd"},{"introduced":"0"},{"last_affected":"da539329d528d979f4dd385a6ebb639793ef37bd"},{"introduced":"0"},{"last_affected":"da539329d528d979f4dd385a6ebb639793ef37bd"},{"introduced":"0"},{"last_affected":"a493c04c046763140612307400f9189d8f0acd28"},{"introduced":"0"},{"last_affected":"da539329d528d979f4dd385a6ebb639793ef37bd"}],"database_specific":{"versions":[{"introduced":"2.0"},{"fixed":"2.3.1"},{"introduced":"2.4"},{"fixed":"2.12.3"},{"introduced":"2.13.0"},{"last_affected":"2.16.0"},{"introduced":"0"},{"last_affected":"2.12.0"},{"introduced":"0"},{"last_affected":"2.12.0"},{"introduced":"0"},{"last_affected":"2.12.0"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"2.12.0"}]}}],"versions":["log4j-2.1","log4j-2.1-rc2","log4j-2.1-rc3","log4j-2.10-rc1","log4j-2.10.0","log4j-2.11.0","log4j-2.11.0-rc1","log4j-2.11.1","log4j-2.11.1-rc1","log4j-2.11.2","log4j-2.11.2-rc1","log4j-2.11.2-rc2","log4j-2.11.2-rc3","log4j-2.12.0","log4j-2.12.0-rc1","log4j-2.12.0-rc2","log4j-2.12.1","log4j-2.12.1-rc1","log4j-2.12.2-rc1","log4j-2.13.0-rc2","log4j-2.13.1","log4j-2.13.1-rc1","log4j-2.13.1-rc2","log4j-2.13.2","log4j-2.13.2-rc1","log4j-2.13.3","log4j-2.13.3-rc1","log4j-2.14.0-rc1","log4j-2.14.1-rc1","log4j-2.15.0-rc1","log4j-2.15.0-rc2","log4j-2.15.1-rc1","log4j-2.16.0-rc1","log4j-2.3","log4j-2.4","log4j-2.4.1","log4j-2.5","log4j-2.5-rc1","log4j-2.6.2","log4j-2.6.2-rc1","log4j-2.7","log4j-2.7-rc1","log4j-2.7-rc2","log4j-2.8","log4j-2.8-rc1","log4j-2.8.1","log4j-2.8.1-rc1","log4j-2.9-rc1","log4j-2.9.0","log4j-2.9.1-rc1","rel/2.1","rel/2.10.0","rel/2.11.0","rel/2.11.1","rel/2.11.2","rel/2.12.0","rel/2.12.1","rel/2.12.2","rel/2.13.0","rel/2.13.1","rel/2.13.2","rel/2.13.3","rel/2.14.0","rel/2.14.1","rel/2.15.0","rel/2.16.0","rel/2.3","rel/2.4","rel/2.4.1","rel/2.5","rel/2.6.2","rel/2.7","rel/2.8","rel/2.8.1","rel/2.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0.12"}]},{"events":[{"introduced":"2.0"},{"fixed":"3.0"}]},{"events":[{"introduced":"2.0"},{"fixed":"3.0"}]},{"events":[{"introduced":"3.0.0"},{"fixed":"3.1.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.7.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.7.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.7.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.7.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"21.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.5.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.2.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.3.0"}]},{"events":[{"introduced":"12.0.1.0.0"},{"last_affected":"12.0.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1.0.0"}]},{"events":[{"introduced":"8.3.0.0"},{"last_affected":"8.5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"46.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.5"}]},{"events":[{"introduced":"0"},{"fixed":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"12.0.1.0.0"},{"last_affected":"12.0.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.4.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"fixed":"9.0"}]},{"events":[{"introduced":"0"},{"fixed":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.5.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.5.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0.0"}]},{"events":[{"introduced":"8.0.7"},{"last_affected":"8.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1.0.0"}]},{"events":[{"introduced":"12.1.0"},{"last_affected":"12.4"}]},{"events":[{"introduced":"14.0.0"},{"last_affected":"14.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.83.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0.0"}]},{"events":[{"introduced":"3.0.1"},{"last_affected":"3.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.1"}]},{"events":[{"introduced":"7.3.0.1"},{"last_affected":"7.3.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.13.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.2"}]},{"events":[{"introduced":"0"},{"last_affected":"17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0.1"}]},{"events":[{"introduced":"5.4"},{"last_affected":"5.6.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.6.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.29"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"20.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.13"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.12"}]},{"events":[{"introduced":"20.12.0"},{"last_affected":"20.12.7"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0"}]},{"events":[{"introduced":"19.12.0.0"},{"last_affected":"19.12.18.0"}]},{"events":[{"introduced":"20.12.0.0"},{"last_affected":"20.12.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.0.0"}]},{"events":[{"introduced":"16.0.1"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"16.0.1"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"19.0.0"},{"last_affected":"19.0.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.46"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.115"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.240"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1"}]},{"events":[{"introduced":"16.0.1"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.4.13"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.14"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.8"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.7"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"fixed":"21.4.2"}]},{"events":[{"introduced":"0"},{"fixed":"22.1"}]},{"events":[{"introduced":"4.3.0.1.0"},{"last_affected":"4.3.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-45105.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}