CVE-2022-23305

9.8 CRITICAL

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are conv...

Published: 2022-01-18 · Last updated: 2026-05-27

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89

Affected products

Vendor	Product
apache	advanced_supply_chain_planning, brocade_sannav, business_intelligence
broadcom	advanced_supply_chain_planning, brocade_sannav, business_intelligence
netapp	advanced_supply_chain_planning, brocade_sannav, business_intelligence
oracle	advanced_supply_chain_planning, brocade_sannav, business_intelligence
qos	advanced_supply_chain_planning, brocade_sannav, business_intelligence

Description

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2022-23305
[Other]http://www.openwall.com/lists/oss-security/2022/01/18/4
[Vendor advisory]https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
[Vendor advisory]https://logging.apache.org/log4j/1.2/index.html
[Other]https://security.netapp.com/advisory/ntap-20220217-0007/
[Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
[Patch]https://www.oracle.com/security-alerts/cpujul2022.html
[Other]http://www.openwall.com/lists/oss-security/2022/01/18/4
[Vendor advisory]https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
[Vendor advisory]https://logging.apache.org/log4j/1.2/index.html
[Other]https://security.netapp.com/advisory/ntap-20220217-0007/
[Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
[Patch]https://www.oracle.com/security-alerts/cpujul2022.html

Related CVEs

Same vendor

CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)

Same CWE

CVE-2026-53474 — A flaw was found in migration-planner (9.6 CRITICAL)
CVE-2026-52758 — Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL qu... (8.8 HIGH)
CVE-2026-49498 — Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to e... (8.8 HIGH)
CVE-2026-3018 — The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up t... (7.5 HIGH)
CVE-2026-3326 — The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX ... (8.6 HIGH)