|
|
|
|
|
|
by tailspin2019
1638 days ago
|
|
|
> including a network request The wording in the CVE description of “an attacker with permission to modify the logging configuration file” really obscures that fact if that’s true. That wording means something very specific to me (and I would assume many others) - my immediate assumption was that it refers to an actual file on disk on the machine running Log4j. If it can load config over a network request - I feel like this would have been useful to point out in the description? Unless this particular issue is just restricted to local file-based config? Sadly it’s late here so I don’t have time to read up further right now. I’ll reserve that pleasure for tomorrow morning…! |
|
|