/alerttags/cwe-117/ Recent content in CWE-117 on ZAP Hugo en-us /docs/alerts/40043-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40043-1/ <p>Apache Log4j2 &lt;=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.</p> /docs/alerts/40043-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40043-2/ <p>It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments.</p> /docs/alerts/40047/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/40047/ <p>Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults.Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded.The application has been shown to initial contact with remote servers via variable interpolation and may well be vulnerable to Remote Code Execution (RCE).</p>