## Log4j 2.8.2 Jar Flags Critical 10.0 CVSS Vulnerability in Active Project
A direct project dependency on the outdated `log4j-core-2.8.2.jar` library exposes a system to two critical, actively exploitable vulnerabilities, including the infamous Log4Shell flaw with a maximum CVSS score of 10.0. This finding, surfaced by automated security scanning, indicates a severe and immediate risk of remote code execution for any application still relying on this version. The exploit maturity for both flaws is rated as 'High,' with an Exploit Prediction Scoring System (EPSS) probability exceeding 94%, confirming active, widespread exploitation in the wild.

The specific vulnerabilities are CVE-2021-44228 (CVSS 10.0) and CVE-2021-45046 (CVSS 9.0). Both are directly linked to the Apache Log4j 2.x series and were publicly disclosed years ago, making their continued presence a significant security oversight. The library is flagged as a 'Direct' dependency in the project's `/pom.xml` file, meaning it is explicitly declared and not a transitive inclusion, placing the responsibility for remediation squarely on the project maintainers.

Official patches have long been available. The fix for CVE-2021-44228 is to upgrade to Log4j versions 2.3.1, 2.12.2, or 2.15.0. For CVE-2021-45046, the patched versions are 2.3.1, 2.12.2, or 2.16.0. The scan confirms a 'Remediation Available' status, but the persistence of the vulnerable version suggests either a lack of awareness, deployment inertia, or complex legacy integration challenges. This leaves the associated application and its data flow critically exposed to one of the most severe and pervasive software supply chain attacks in recent history.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Log4Shell, CVE-2021-44228, Software Supply Chain, Vulnerability Management, Apache Software Foundation
- **Credibility**: unverified
- **Published**: 2026-04-03 00:27:04
- **ID**: 48184
- **URL**: https://whisperx.ai/en/intel/48184