By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Apache
SQLi
Log4J
Snapmanager
Brocade Sannav
+25
NVD
VulDB
CVSS 3.1
9.8
EPSS
9.5%