Share
## https://sploitus.com/exploit?id=FE566C03-40AC-51B9-BB51-6FB77264D115
# log4shell-poc-maven

> โš ๏ธ **INTENTIONALLY VULNERABLE FOR SCA TESTING** โ€” do not use in production

Minimal Maven project containing `log4j-core:2.14.1`, the version vulnerable to
**CVE-2021-44228** (Log4Shell), CVSS **10.0 CRITICAL**.

Used as a reference scan target to validate the SAST+SCA vulnerability scanner
built with Java 17 + Trivy + Semgrep (EFREI Paris cybersecurity project).

## Scan with vuln-scanner

```bash
java -jar vuln-scanner-1.0.0.jar \
  --json report.json \
  https://github.com/zoubir-sahnoun/log4shell-poc-maven
```

Expected output: CVE-2021-44228 as CRITICAL in the report.

## CVE Details

| Field | Value |
|---|---|
| CVE | CVE-2021-44228 |
| CVSS v3.1 | **10.0 CRITICAL** |
| Vector | JNDI lookup in log messages โ†’ unauthenticated RCE |
| Affected | log4j-core 2.0-beta9 to 2.14.1 |
| Patch | log4j-core โ‰ฅ 2.15.0 (released 2021-12-10) |
| Impact | Millions of servers exposed within 48h of public disclosure |

## Why this repo exists

SCA scanners (Trivy, Grype, Dependency-Check) detect this CVE from the `pom.xml`
without compiling the project. This repo demonstrates that a single dependency
declaration is enough for a scanner to flag a critical supply-chain risk โ€”
exactly the threat model addressed by DORA Article 28 and ISO 27001:2022 A.8.29.