By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-23305
Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2022-01-21. NVD baseline CVSS 9.8; sources differ by 0.0.
- High exploitation likelihood — EPSS 67%
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(medium)
- EPSS
- 99.2%
- KEV
- Not listed
Published
January 18, 2022
Last Modified
May 27, 2026
Advisory Details (4)
Auto-updated Jun 20, 2026oss-security - CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1
http://www.openwall.com/lists/oss-security/2022/01/18/4Vendor Advisories for CVE-2022-23305(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2024:10207Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.11 Security update
- RHSA-2024:5856Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update
- RHSA-2022:5460Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:5459Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:5458Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.24 security update
- RHSA-2022:1299Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1297Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1296Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- +12 more
Patch Availability(23)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| log4j:log4j | 1.1.3 ... 1.2.9 (14 versions) | — | — |
| org.zenframework.z8.dependencies.commons:log4j-1.2.17 | 2.0 | — | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(15)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2022:0289IMPORTANT2022-01-18
RHSA-2022:0289 — Important
- Red HatRHSA-2022:0290IMPORTANT2022-01-18
RHSA-2022:0290 — Important
- Red HatRHSA-2022:0291IMPORTANT2022-01-18
RHSA-2022:0291 — Important
- Red HatRHSA-2022:0294IMPORTANT2022-01-18
RHSA-2022:0294 — Important
- Red HatRHSA-2022:0430IMPORTANT2022-01-18
RHSA-2022:0430 — Important
- Red HatRHSA-2022:0435IMPORTANT2022-01-18
RHSA-2022:0435 — Important
- Red HatRHSA-2022:0436IMPORTANT2022-01-18
RHSA-2022:0436 — Important
- Red HatRHSA-2022:0437IMPORTANT2022-01-18
RHSA-2022:0437 — Important
- Red HatRHSA-2022:0438IMPORTANT2022-01-18
RHSA-2022:0438 — Important
- Red HatRHSA-2022:0439IMPORTANT2022-01-18
RHSA-2022:0439 — Important
- Red HatRHSA-2022:0442IMPORTANT2022-01-18
RHSA-2022:0442 — Important
- Red HatRHSA-2022:0444IMPORTANT2022-01-18
RHSA-2022:0444 — Important
- Red HatRHSA-2022:0446IMPORTANT2022-01-18
RHSA-2022:0446 — Important
- Red HatRHSA-2022:0448IMPORTANT2022-01-18
RHSA-2022:0448 — Important
- Red HatRHSA-2022:0449IMPORTANT2022-01-18
RHSA-2022:0449 — Important
Data Freshness Timeline
(refreshed 3× in last 7d / 30× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-29 23:04 UTCOSV refresh
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-29 14:04 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
Show 39 moreShow fewer
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-12 11:40 UTCOSV refresh
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 04:39 UTCEG score recompute
- 2026-05-26 04:39 UTCVendor advisory
- 2026-05-26 04:39 UTCGHSA enrichment
Publicly available exploits
(2 references)Working exploit code is in the public domain (2 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCAlphabugX/CVE-2022-RCEFirst seen Jan 21, 2022
test 反向辣鸡数据投放 CVE-2022-23305 工具 利用 教程 Exploit POC
Open source ↗ - GitHub PoCHynekPetrak/log4shell-finderFirst seen Dec 14, 2021
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307 ... ) instances of log4j library. Excellent performance and low memory footprint.
Open source ↗
Related CVEs(same product + same vendor + same CWE)
Same product
4 shownmaven:log4j:log4j
Same vendor
10 shownredhat
Frequently asked(5)
What is CVE-2022-23305?
When was CVE-2022-23305 disclosed?
Is CVE-2022-23305 actively exploited?
What is the CVSS score of CVE-2022-23305?
How do I remediate CVE-2022-23305?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2022-23305
Is Your Infrastructure Affected by CVE-2022-23305?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.