CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12801 – SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks
https://notcve.org/view.php?id=CVE-2024-12801
19 Dec 2024 — Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML... • https://logback.qos.ch/news.html#1.5.13 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12798 – JaninoEventEvaluator vulnerability
https://notcve.org/view.php?id=CVE-2024-12798
19 Dec 2024 — ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto and including version 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, t... • https://logback.qos.ch/news.html#1.5.13 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6481 – Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
https://notcve.org/view.php?id=CVE-2023-6481
04 Dec 2023 — A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente Logback Receiver. Las versiones 1.4.13, 1.3.13 y 1.2.12 de Logback permite a un atacante montar un ataque de denegación de servicio enviando datos envenenados. A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Re... • https://logback.qos.ch/news.html#1.3.12 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 0CVE-2023-6378 – Logback "receiver" DOS vulnerability
https://notcve.org/view.php?id=CVE-2023-6378
29 Nov 2023 — A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente receptor de inicio de sesión de la versión 1.4.11 permite a un atacante montar un ataque de Denegación de Servicio mediante el envío de datos envenenados. A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receive... • https://logback.qos.ch/news.html#1.3.12 • CWE-499: Serializable Class Containing Sensitive Data CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 2%CPEs: 17EXPL: 3CVE-2021-42550 – RCE from attacker with configuration edit priviledges through JNDI lookup
https://notcve.org/view.php?id=CVE-2021-42550
16 Dec 2021 — In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. En logback versiones 1.2.7 y anteriores, un atacante con los privilegios necesarios para editar archivos de configuración podría diseñar una configuración maliciosa que permitiera ejecutar código arbitrario cargado desde servidores LDAP A flaw was found in the logback package. When using a special... • http://logback.qos.ch/news.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 18%CPEs: 3EXPL: 0CVE-2017-5929 – logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
https://notcve.org/view.php?id=CVE-2017-5929
13 Mar 2017 — QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. QOS.ch Logback en versiones anteriores a 1.2.0 tiene una vulnerabilidad de serialización que afecta a los componentes SocketServer y ServerSocketReceiver. It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated att... • https://access.redhat.com/errata/RHSA-2017:1675 • CWE-502: Deserialization of Untrusted Data •