CVE-2021-42550 - Remote Code Execution (RCE)

Severity: Low2022-09-22

Security Advisories



In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v4.1 and older versionsLow Oxygen Content Fusion 5.0 build 2022052605
Oxygen XML Web Author between 24.0 and olderLow Oxygen XML Web Author 24.1 build 2022030809
Oxygen Feedback 2.0 and olderLow Oxygen Feedback 2.1 build 2022041216
Oxygen XML Publishing Engine 24.0 and olderLow Oxygen Publishing Engine 24.1 build 2022030800
Oxygen PDF Chemistry 24.0Low Oxygen PDF Chemistry 24.1 build 2022030907
Oxygen XML Author 24.0 and olderLow Oxygen XML Author 24.1 build 2022030807
Oxygen XML Developer 24.0 and olderLow Oxygen XML Developer 24.1 build 2022030807
Oxygen XML Editor 24.0 and olderLow Oxygen XML Editor 24.1 build 2022030807





Severity: Low

CVSS Score: 6.6

The Apache Log4j2 third-party library used by Oxygen XML products is an affected version mentioned in CVE-2021-42550 vulnerability description. However, the vulnerability can be only eploited by modifying the logging configuration by a trusted party. For that reason, we are rated the severity level for our products as low.

List of Security Advisories