UBUNTU-CVE-2020-9488
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 27 Apr 2020, 16:15
Last modified:01 Jun 2026, 07:15
Vulnerability Summary
Overall Risk (default)
low
15/100 CVSS Score
3.7 LOW
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
27 Apr 2020, 16:15
Published
Vulnerability first disclosed
01 Jun 2026, 07:15
Last Modified
Vulnerability information updated
Description
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CVSS Metrics
- v3.1•LOW•Score: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Systems
- ubuntu•apache-log4j2
all | all | < 2.16.0-0.20.04.1
References (6)
- https://ubuntu.com/security/CVE-2020-9488
- https://www.openwall.com/lists/oss-security/2020/04/25/1
- https://issues.apache.org/jira/browse/LOG4J2-2819
- https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=6851b5083ef9610bae320bf07e1f24d2aa08851b
- https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=fb91a3d71e2f3dadad6fd1beb2ab857f44fe8bbb
- https://www.cve.org/CVERecord?id=CVE-2020-9488