CVE-2023-6481 – Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
https://notcve.org/view.php?id=CVE-2023-6481
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente Logback Receiver. Las versiones 1.4.13, 1.3.13 y 1.2.12 de Logback permite a un atacante montar un ataque de denegación de servicio enviando datos envenenados. A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. • https://logback.qos.ch/news.html#1.3.12 https://logback.qos.ch/news.html#1.3.14 https://access.redhat.com/security/cve/CVE-2023-6481 https://bugzilla.redhat.com/show_bug.cgi?id=2252956 • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-6378 – Logback "receiver" DOS vulnerability
https://notcve.org/view.php?id=CVE-2023-6378
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Una vulnerabilidad de serialización en el componente receptor de inicio de sesión de la versión 1.4.11 permite a un atacante montar un ataque de Denegación de Servicio mediante el envío de datos envenenados. A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition. • https://logback.qos.ch/news.html#1.3.12 https://access.redhat.com/security/cve/CVE-2023-6378 https://bugzilla.redhat.com/show_bug.cgi?id=2252230 • CWE-499: Serializable Class Containing Sensitive Data CWE-502: Deserialization of Untrusted Data •