Apache Log4j 2.6.1 Jar Contains Critical 10.0 CVSS Vulnerability (CVE-2021-44228)

A critical security scan has flagged the Apache Log4j library version 2.6.1 as containing three severe vulnerabilities, including the infamous Log4Shell flaw with a maximum CVSS score of 10.0. This finding indicates that software projects still relying on this outdated and vulnerable version are exposed to immediate and severe remote code execution risks. The exploit maturity for the primary vulnerability is rated as 'High,' and the EPSS score of 94.4% quantifies a near-certain probability of exploitation attempts in the wild.

The specific library identified is `log4j-core-2.6.1.jar`, a direct dependency found in a project's build path. The most dangerous finding is CVE-2021-44228, the Log4Shell vulnerability, which allows unauthenticated remote attackers to execute arbitrary code on affected systems. A second critical vulnerability, CVE-2017-5645 with a CVSS score of 9.8, is also present, further compounding the security posture. The scan confirms that official remediations are available, with fixed versions explicitly listed for each CVE.

This report serves as a direct, actionable warning for any development or security team whose dependency tree includes this specific artifact. The presence of Log4Shell in a project's runtime is a severe operational threat that demands urgent remediation. Organizations must immediately verify their software inventories, prioritize the upgrade to the patched versions (2.12.2, 2.15.0, or later), and assess any potential compromise from systems that may have been exposed while running the vulnerable library.