Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks in Log4J 2.15.0 🔗 External Link