[FP]: CVE-2026-34480 log4j-api confused with log4j-core

[adam-siklosi]

Package URl

pkg:maven/org.apache.logging.log4j/log4j-api@2.24.2

CPE

cpe:2.3:a:apache:log4j:2.24.2:::::::*

CVE

CVE-2026-34480

ODC Integration

{"label" => "Gradle Plugin"}

ODC Version

12.1.9

Description

This vulnerability is limited to Apache Log4j Core (the org.apache.logging.log4j:log4j-core artifact / log4j-core.jar). It impacts the XmlLayout class in Log4j Core versions 2.21.0 through 2.25.3 (and some 3.0.0 beta versions).

[github-actions]

Maven Coordinates

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-api</artifactId>
  <version>2.24.2</version>
</dependency>

Suppression rule:

<suppress base="true">
    <notes><![CDATA[
    FP per issue #8457
    ]]></notes>
    <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-api@.*$</packageUrl>
    <cpe>cpe:/a:apache:log4j</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/24978144978

[chadlwilson]

This happens because NVD does not manage CVE as individual package/component level - it only manages them at "product level". Normally we do not manage suppressions at this level, as it's not scalable, but we do have some for log4j, probably due to how widespread it is, so will update them.