Vulnerability
Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library
### Summary The version used of Log4j, the library used for logging by PowerNukkit, is subject to a remote code execution vulnerability via the ldap JNDI parser. It's well detailed at [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and CVE-2021-45105(https://github.com/advisories/GHSA-p6xc-xr62-6r2g). ### Impact Malicious client code could be used to send messages and cause remote code execution on the server. ### Patches PowerNukkit `1.5.2.1` is a patch-release that only updates the Log4j version to `2.17.0` and should be used instead of `1.5.2.0`. All versions prior to `1.5.2.1` are affected and are not patched. ### Workarounds If you can't upgrade, you can use the `-Dlog4j2.formatMsgNoLookups=true` startup argument as remediation, as this prevents the vulnerability from happening. ### References https://github.com/advisories/GHSA-jfh8-c2jp-5v3q https://github.com/advisories/GHSA-p6xc-xr62-6r2g ### For more information If you have any questions or comments about this advisory: * Open an issue in [the PowerNukkit repository](https://github.com/PowerNukkit/PowerNukkit/issues)
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence