CVE-2022-23307

Aliases:GHSA-f7vh-qwp3-x37m

Advisory lineage Upstream: 0 Downstream: 33

Downstream

DEBIAN-CVE-2022-23307 DLA-2905-1 OPENSUSE-SU-2022:0038-1 OPENSUSE-SU-2022:0214-1 OPENSUSE-SU-2022:0226-1 OPENSUSE-SU-2024:11838-1

Modified

Published: 18 Jan 2022, 15:25

Last modified:27 May 2026, 13:44

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9 HIGH

v2.0 (nvd)

EPSS Score

2.6% LOW

3% probability +0.80%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

18 Jan 2022, 15:25

Published

Vulnerability first disclosed

27 May 2026, 13:44

Last Modified

Vulnerability information updated

Description

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 9AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 2.60%• Percentile: 86%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

apache software foundation•apache log4j 1.x
≥ 1.2.1, < unspecified | ≥ unspecified, ≤ 2.0-alpha1
apache•chainsaw
< 2.1.0
apache•log4j
≥ 1.2, < 2.0
log4j•log4j
≤ 1.2.17
org.zenframework.z8.dependencies.commons•log4j-1.2.17
≤ 2.0
oracle•advanced_supply_chain_planning
12.1 | 12.2
oracle•business_intelligence
5.9.0.0.0 | 12.2.1.3.0 | 12.2.1.4.0
oracle•business_process_management_suite
12.2.1.3.0 | 12.2.1.4.0
oracle•communications_eagle_ftp_table_base_retrieval
4.5
oracle•communications_instant_messaging_server
10.0.1.5.0
oracle•communications_messaging_server
8.1
oracle•communications_network_integrity
7.3.6
oracle•communications_offline_mediation_controller
< 12.0.0.4.4 | 12.0.0.5.0
oracle•communications_unified_inventory_management
7.4.1 | 7.4.2
oracle•e-business_suite_cloud_manager_and_cloud_backup_module
< 2.2.1.1.1 | 2.2.1.1.1
oracle•enterprise_manager_base_platform
13.4.0.0 | 13.5.0.0
oracle•financial_services_revenue_management_and_billing_analytics
2.7.0.0 | 2.7.0.1 | 2.8.0.0
oracle•healthcare_foundation
8.1.0
oracle•hyperion_data_relationship_management
< 11.2.8.0
oracle•hyperion_infrastructure_technology
< 11.2.8.0
oracle•identity_management_suite
12.2.1.3.0 | 12.2.1.4.0
oracle•identity_manager_connector
11.1.1.5.0
oracle•jdeveloper
12.2.1.3.0
oracle•middleware_common_libraries_and_tools
12.2.1.4.0
oracle•mysql_enterprise_monitor
≤ 8.0.29
oracle•retail_extract_transform_and_load
13.2.5
oracle•tuxedo
12.2.2.0.0
Unknown•WebLogic Server
12.2.1.3.0 | 12.2.1.4.0 | 14.1.1.0.0
qos•reload4j
< 1.2.18.1