SCA: security update for org.apache.logging.log4j:log4j-layout-template-json (GHSA-w35j-pv5h-q9q9)

medium Tenable Cloud Security Plugin ID 440319

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html ,
in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite
floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause
downstream log processing systems to reject or fail to index affected records. An attacker can exploit
this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. *
The application logs a MapMessage containing an attacker-controlled floating-point value. Users are
advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
(CVE-2026-34481)

Solution

Update the org.apache.logging.log4j:log4j-layout-template-json library and its related packages to version 2.25.4 or later.

See Also

https://github.com/advisories/GHSA-w35j-pv5h-q9q9

Plugin Details

Severity: Medium

ID: 440319

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 4/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-34481

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/10/2026

Vulnerability Publication Date: 4/10/2026

Reference Information

CVE: CVE-2026-34481

cwe: CWE-116