Log4J (CVE-2021-44228) was considered as low severity vulnerabilitySee original GitHub issue
I have scanned a vulnerable log4j repo just for testing and found that
CVE-2021-44228 is considered as low severity.
Repository used for scanning: https://github.com/christophetd/log4shell-vulnerable-app
Attaching the screenshot for reference:
- Created a year ago
- Comments:7 (3 by maintainers)
Top GitHub Comments
Thanks @prabhu! This worked after I deleted db files and cached again.
But I also did
--sync before deleting the files as well, but maybe somehow the files were not really replaced. I think it might be a bug in vdb. I tried understanding the code but I wasn’t able to figure out.
Thanks, @kakumanivrn, for raising this issue. This is fixed with 2.1.4
Perhaps a bug or the format of OSV schema had changed recently; severity is now appearing in the root instead of under the affected array in the OSV feed. https://github.com/AppThreat/vulnerability-db/commit/a45fc845257b963f079130d504debae3ea7282ec