F00Dat

Name of the Vulnerable Software and Affected Versions Apache Log4net versions prior to 3.3.0 Description Apache Log4net's XmlLayout and XmlLayoutSchemaLog4J do not properly sanitize characters forbidden by the XML 1.0 specification in MDC property keys and values, as well as the identity field, which can carry attacker-influenced data. This can lead to an exception during serialization and the silent loss of log events. An attacker who can influence these fields can suppress log records, potentially impairing audit trails and hindering the detection of malicious activity. Recommendations Upgrade to Apache Log4net version 3.3.0 or later.