Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02djY3LTJ3cjUtZ3ZmNM4ABCoZ
QOS.CH logback-core Server-Side Request Forgery vulnerability
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Permalink: https://github.com/advisories/GHSA-6v67-2wr5-gvf4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02djY3LTJ3cjUtZ3ZmNM4ABCoZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 20 days ago
Updated: 5 days ago
EPSS Percentage: 0.00043
EPSS Percentile: 0.10892
Identifiers: GHSA-6v67-2wr5-gvf4, CVE-2024-12801
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-12801
- https://logback.qos.ch/news.html#1.5.13
- https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
- https://logback.qos.ch/news.html#1.3.15
- https://github.com/advisories/GHSA-6v67-2wr5-gvf4
Blast Radius: 0.0
Affected Packages
maven:ch.qos.logback:logback-core
Dependent packages: 5,539Dependent repositories: 43,479
Downloads:
Affected Version Ranges: < 1.3.15, >= 1.4.0, < 1.5.13
Fixed in: 1.3.15, 1.5.13
All affected versions: 0.2.5, 0.7.1, 0.8.1, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.9.30, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12
All unaffected versions: 1.3.15, 1.5.13, 1.5.14, 1.5.15, 1.5.16