### [CVE-2021-45105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Log4j2&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=log4j-core%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-20%20Improper%20Input%20Validation&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-674%3A%20Uncontrolled%20Recursion&color=brightgreen)

### Description

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

### POC

#### Reference
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html

#### Github
- https://github.com/1lann/log4shelldetect
- https://github.com/ADP-Dynatrace/dt-appsec-powerup
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Afrouper/MavenDependencyCVE-Scanner
- https://github.com/AlvaroMartinezQ/clickandbuy
- https://github.com/BabooPan/Log4Shell-CVE-2021-44228-Demo
- https://github.com/Boupouchi/Log4j-Detector-PFA
- https://github.com/CUBETIQ/cubetiq-security-advisors
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/Cosmo-Tech/azure-digital-twins-simulator-connector
- https://github.com/CptOfEvilMinions/ChooseYourSIEMAdventure
- https://github.com/Cyb3rWard0g/log4jshell-lab
- https://github.com/Cybereason/Logout4Shell
- https://github.com/Devihtisham01/-HIPAA-and-GDPR-compliance-engine-for-a-healthcare-SaaS-product
- https://github.com/Dynatrace-Asad-Ali/appsecutil
- https://github.com/GhostTroops/TOP
- https://github.com/GluuFederation/Log4J
- https://github.com/HackJava/HackLog4j2
- https://github.com/HackJava/Log4j2
- https://github.com/HemantKMehta/Log4J
- https://github.com/HynekPetrak/log4shell-finder
- https://github.com/ITninja04/awesome-stars
- https://github.com/JERRY123S/all-poc
- https://github.com/Locj41/demo-cve2021-45105
- https://github.com/Maelstromage/Log4jSherlock
- https://github.com/MaineK00n/vuls2
- https://github.com/Mattrobby/Log4J-Demo
- https://github.com/MichalSoltysikSOC/Cybersecurity-content-videos
- https://github.com/NCSC-NL/log4shell
- https://github.com/NE137/log4j-scanner
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/NiftyBank/java-app
- https://github.com/Pluralsight-SORCERI/log4j-resources
- https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
- https://github.com/Qerim-iseni09/ByeLog4Shell
- https://github.com/Qualys/log4jscanwin
- https://github.com/ReAbout/audit-java
- https://github.com/Ryan2065/Log4ShellDetection
- https://github.com/SYRTI/POC_to_review
- https://github.com/ShadowPayload06/Internship-security-scan-
- https://github.com/VerveIndustrialProtection/CVE-2021-44228-Log4j
- https://github.com/WhooAmii/POC_to_review
- https://github.com/YoungBear/log4j2demo
- https://github.com/akselbork/Remove-Log4JVulnerabilityClass-
- https://github.com/alphatron-employee/product-overview
- https://github.com/alukashenkov/Vulners-MCP
- https://github.com/andalik/log4j-filescan
- https://github.com/asksven/log4j-poc
- https://github.com/bananaacaat/Log4j-Detector
- https://github.com/binkley/modern-java-practices
- https://github.com/bmw-inc/log4shell
- https://github.com/cckuailong/Log4j_dos_CVE-2021-45105
- https://github.com/chenghungpan/test_data
- https://github.com/christian-taillon/log4shell-hunting
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/darkarnium/Log4j-CVE-Detect
- https://github.com/davejwilson/azure-spark-pools-log4j
- https://github.com/demining/Log4j-Vulnerability
- https://github.com/demonrvm/Log4ShellRemediation
- https://github.com/dileepdkumar/https-github.com-NCSC-NL-log4shell
- https://github.com/dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1
- https://github.com/dinlaks/RunTime-Vulnerability-Prevention---RHACS-Demo
- https://github.com/dkd/elasticsearch
- https://github.com/dtact/divd-2021-00038--log4j-scanner
- https://github.com/dynatrace-ext/AppSecUtil
- https://github.com/elicha023948/44228
- https://github.com/eliezio/log4j-test
- https://github.com/evmcoedevsecops/log4j2_Demo
- https://github.com/fox-it/log4j-finder
- https://github.com/gitlab-de/log4j-resources
- https://github.com/govgitty/log4shell-
- https://github.com/gumimin/dependency-check-sample
- https://github.com/helsecert/CVE-2021-44228
- https://github.com/hillu/local-log4j-vuln-scanner
- https://github.com/hktalent/TOP
- https://github.com/hupe1980/scan4log4shell
- https://github.com/iAmSOScArEd/log4j2_dos_exploit
- https://github.com/imTigger/webapp-hardware-bridge
- https://github.com/jacobalberty/unifi-docker
- https://github.com/jbmihoub/all-poc
- https://github.com/jfrog/log4j-tools
- https://github.com/khulnasoft-lab/awesome-security
- https://github.com/khulnasoft-labs/awesome-security
- https://github.com/krishnamk00/Top-10-OpenSource-News-Weekly
- https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228
- https://github.com/logpresso/CVE-2021-44228-Scanner
- https://github.com/mad1c/log4jchecker
- https://github.com/martinlau/dependency-check-issue
- https://github.com/mergebase/csv-compare
- https://github.com/mergebase/log4j-detector
- https://github.com/mosaic-hgw/jMeter
- https://github.com/name/log4j-remediation
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/nullx3d/PaypScan
- https://github.com/open-source-agenda/new-open-source-projects
- https://github.com/optionalg/ByeLog4Shell
- https://github.com/ossie-git/log4shell_sentinel
- https://github.com/ozGod-sh/Declencheur-CVE
- https://github.com/palantir/log4j-sniffer
- https://github.com/papicella/conftest-snyk-demos
- https://github.com/paras98/Log4Shell
- https://github.com/pentesterland/Log4Shell
- https://github.com/phax/ph-oton
- https://github.com/phax/phase4
- https://github.com/phax/phoss-directory
- https://github.com/phiroict/pub_log4j2_fix
- https://github.com/pravin-pp/log4j2-CVE-2021-45105
- https://github.com/retr0-13/log4j-bypass-words
- https://github.com/retr0-13/log4shell
- https://github.com/righettod/log4shell-analysis
- https://github.com/sakuraji-labs/log4j-remediation
- https://github.com/seculayer/Log4j-Vulnerability
- https://github.com/secursive/log4j-CVEs-scripts
- https://github.com/soosmile/POC
- https://github.com/srhercules/log4j_mass_scanner
- https://github.com/sschakraborty/SecurityPOC
- https://github.com/sumitgiri87/Ransomware-AIG
- https://github.com/tcoliver/IBM-SPSS-log4j-fixes
- https://github.com/tejas-nagchandi/CVE-2021-45105
- https://github.com/thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
- https://github.com/thl-cmk/CVE-log4j-check_mk-plugin
- https://github.com/tmax-cloud/install-EFK
- https://github.com/trhacknon/CVE-2021-44228-Scanner
- https://github.com/trhacknon/Pocingit
- https://github.com/trhacknon/log4shell-finder
- https://github.com/viktorbezdek/awesome-github-projects
- https://github.com/wanniDev/OEmbeded
- https://github.com/watson-developer-cloud/assistant-with-discovery
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/whalehub/awesome-stars
- https://github.com/whitesource/log4j-detect-distribution
- https://github.com/wortell/log4j
- https://github.com/xcollantes/henlo_there
- https://github.com/yannart/log4shell-scanner-rs
- https://github.com/yonocruzhj/AIG---Tasks
- https://github.com/zaneef/CVE-2021-44228
- https://github.com/zecool/cve
- https://github.com/zeroonesa/ctf_log4jshell