What is the CVSS score of CVE-2021-45046?

CVE-2021-45046 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Which versions of Apache Log4j are affected by CVE-2021-45046?

CVE-2021-45046 presents critical security risk rated CVSS 9.0. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.. A patch is available.

Is CVE-2021-45046 being actively exploited?

Yes, CVE-2021-45046 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2021-45046?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Apache Log4j CVE-2021-45046

CRITICAL

Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)

2021-12-14 security@apache.org

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Oct 27, 2025 - 17:35 cisa

CISA KEV

Patch released

Oct 27, 2025 - 17:35 nvd

Patch available

CVE Published

Dec 14, 2021 - 19:15 nvd

CRITICAL 9.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

598 maven packages depend on org.apache.logging.log4j:log4j-core (254 direct, 347 indirect)

Ecosystem-wide dependent count for version 2.13.0.

DescriptionNVD

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

AnalysisAI

Apache Log4j2 contains an incomplete fix for Log4Shell (CVE-2021-44228) that allows attackers to bypass the initial patch through Thread Context Map (MDC) input data in non-default configurations, enabling RCE and DoS.

Technical ContextAI

The CWE-917 OGNL/EL injection bypass works when logging configurations use Context Lookup patterns (${ctx:loginId}) or Thread Context Map patterns in their Pattern Layout. In these configurations, Log4j 2.15.0's restrictions on JNDI lookups can be circumvented through MDC-injected data.

Affected ProductsAI

Apache Log4j2 2.15.0 (with non-default Pattern Layout using Context Lookup)

RemediationAI

Update to Log4j 2.17.1+ (the fully patched version). Log4j 2.16.0 disabled JNDI by default but had additional issues. Only 2.17.1+ is considered fully secure.

CVE-2021-45046 vulnerability details – vuln.today

Back

Apache Log4j CVE-2021-45046

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code