Twitter Feed
@gcouprie ("Geoffroy Couprie") replied to a tweet by @gcouprie:
TL;DR: in log4j 2.0 to 2.14.1 (potentially 1.x too), if you create a log line like "text"+attackerControlledInput the attacker can run arbitrary code in your app, by remote java class loading 😬