Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcjk4LTIzZjgtand4ds4ABCog
QOS.CH logback-core Expression Language Injection vulnerability
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Permalink: https://github.com/advisories/GHSA-pr98-23f8-jwxvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcjk4LTIzZjgtand4ds4ABCog
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 20 days ago
Updated: 5 days ago
EPSS Percentage: 0.00061
EPSS Percentile: 0.27555
Identifiers: GHSA-pr98-23f8-jwxv, CVE-2024-12798
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-12798
- https://logback.qos.ch/news.html#1.5.13
- https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183
- https://logback.qos.ch/news.html#1.3.15
- https://github.com/advisories/GHSA-pr98-23f8-jwxv
Blast Radius: 0.0
Affected Packages
maven:ch.qos.logback:logback-core
Dependent packages: 5,539Dependent repositories: 43,479
Downloads:
Affected Version Ranges: < 1.3.15, >= 1.4.0, < 1.5.13
Fixed in: 1.3.15, 1.5.13
All affected versions: 0.2.5, 0.7.1, 0.8.1, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.9.30, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12
All unaffected versions: 1.3.15, 1.5.13, 1.5.14, 1.5.15, 1.5.16