## Critical Log4j Vulnerabilities (CVE-2021-44228, CVE-2021-45046) Detected in Legacy Version 2.8.2
A direct dependency scan has flagged the legacy library `log4j-core-2.8.2.jar` as containing two critical, actively exploitable vulnerabilities. The most severe, CVE-2021-44228, carries a maximum CVSS score of 10.0, indicating a flaw that allows for remote code execution with no authentication required. The second, CVE-2021-45046, scores 9.0. Both findings are rated with 'High' exploit maturity, and their Exploit Prediction Scoring System (EPSS) scores exceed 94%, signaling a very high probability of active exploitation in the wild. This specific version of the Apache Log4j library is a direct dependency in the scanned project, making the application immediately vulnerable.

The vulnerabilities are part of the widespread Log4Shell crisis that impacted millions of applications globally. The scan results explicitly show that remediation is available, with fixed versions listed for the `org.apache.logging.log4j:log4j-core` artifact. However, the presence of version 2.8.2—which is years old and far outside the patched version ranges—indicates a significant lag in dependency management or a failure to apply critical security updates. The library's path within the project structure suggests it is a core component of the build.

For any system still running this outdated version, the risk is not theoretical. The combination of maximum severity scores, high exploit maturity, and near-certain EPSS percentages creates an urgent operational security mandate. Organizations must immediately verify their dependency trees, upgrade to a patched version (such as 2.17.0 or later as per current guidance), and assume compromise if this library is exposed to untrusted input. The persistence of such a high-profile vulnerability in a production codebase represents a severe oversight in software supply chain security.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, vulnerability, CVE-2021-44228, dependency management
- **Credibility**: unverified
- **Published**: 2026-04-05 06:26:58
- **ID**: 50394
- **URL**: https://whisperx.ai/en/intel/50394