CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6481 – Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
https://notcve.org/view.php?id=CVE-2023-6481
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente Logback Receiver. Las versiones 1.4.13, 1.3.13 y 1.2.12 de Logback permite a un atacante montar un ataque de denegación de servicio enviando datos envenenados. A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. • https://logback.qos.ch/news.html#1.3.12 https://logback.qos.ch/news.html#1.3.14 https://access.redhat.com/security/cve/CVE-2023-6481 https://bugzilla.redhat.com/show_bug.cgi?id=2252956 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6378 – Logback "receiver" DOS vulnerability
https://notcve.org/view.php?id=CVE-2023-6378
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente receptor de inicio de sesión de la versión 1.4.11 permite a un atacante montar un ataque de Denegación de Servicio mediante el envío de datos envenenados. A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition. • https://logback.qos.ch/news.html#1.3.12 https://access.redhat.com/security/cve/CVE-2023-6378 https://bugzilla.redhat.com/show_bug.cgi?id=2252230 • CWE-499: Serializable Class Containing Sensitive Data CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 1%CPEs: 17EXPL: 3CVE-2021-42550 – RCE from attacker with configuration edit priviledges through JNDI lookup
https://notcve.org/view.php?id=CVE-2021-42550
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. En logback versiones 1.2.7 y anteriores, un atacante con los privilegios necesarios para editar archivos de configuración podría diseñar una configuración maliciosa que permitiera ejecutar código arbitrario cargado desde servidores LDAP A flaw was found in the logback package. When using a specially-crafted configuration, this issue could allow a remote authenticated attacker to execute arbitrary code loaded from LDAP servers. • http://logback.qos.ch/news.html http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html http://seclists.org/fulldisclosure/2022/Jul/11 https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf https://github.com/cn-panda/logbackRceDemo https://jira.qos.ch/browse/LOGBACK-1591 https://security.netapp.com/advisory/ntap-20211229-0001 https://access.redhat.com/security/cve/CVE-2021-42550 https://bugzilla.redhat.com/show_ • CWE-502: Deserialization of Untrusted Data •