CVE-2021-42550 - Remote Code Execution (RCE)
Severity: Low2022-09-22
Abstract
CVE-2021-42550.xml
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v4.1 and older versions | Low | Oxygen Content Fusion 5.0 build 2022052605 |
Oxygen XML Web Author between 24.0 and older | Low | Oxygen XML Web Author 24.1 build 2022030809 |
Oxygen Feedback 2.0 and older | Low | Oxygen Feedback 2.1 build 2022041216 |
Oxygen XML Publishing Engine 24.0 and older | Low | Oxygen Publishing Engine 24.1 build 2022030800 |
Oxygen PDF Chemistry 24.0 | Low | Oxygen PDF Chemistry 24.1 build 2022030907 |
Oxygen XML Author 24.0 and older | Low | Oxygen XML Author 24.1 build 2022030807 |
Oxygen XML Developer 24.0 and older | Low | Oxygen XML Developer 24.1 build 2022030807 |
Oxygen XML Editor 24.0 and older | Low | Oxygen XML Editor 24.1 build 2022030807 |
Detail
CVE-2021-42550
Severity: Low
CVSS Score: 6.6
The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42550 vulnerability description. However, the vulnerability can be only eploited by modifying the logging configuration by a trusted party. For that reason, we are rated the severity level for our products as low.