Bug#1091320: logback: CVE-2024-12801 , CVE-2024-12798
me at iamharshdoshi.com
me at iamharshdoshi.com
Tue Jul 29 15:00:13 BST 2025
Hi Maintainer,
I have a new MR for both this CVE fix.
New upstream version 1.5.13 - MR Link:
https://salsa.debian.org/java-team/logback/-/merge_requests/8
Additional information
Fix: CVE-2024-12798 - ACE vulnerability in JaninoEventEvaluator by
QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to
1.5.12 in Java applications allows attacker to execute arbitrary code by
compromising an existing logback configuration file or by injecting an
environment variable before program execution. Malicious logback
configuration files can allow the attacker to execute arbitrary code
using the JaninoEventEvaluator extension. A successful attack requires
the user to have write access to a configuration file. Alternatively,
the attacker could inject a malicious environment variable pointing to a
malicious configuration file. In both cases, the attack requires
existing privilege.
Fix: CVE-2024-12801 - Server-Side Request Forgery (SSRF) in
SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to
1.5.12 on the Java platform, allows an attacker to forge requests by
compromising logback configuration files in XML. The attacks involves
the modification of DOCTYPE declaration in XML configuration files.
On the 1.5.x series
The 1.5.x series is a direct descendant of and a drop-in replacement for
the 1.4.x series. It differs from the 1.4.x series by the relocation of
the logback-access module which was moved to its own separate github
repository.
Here is a summary of 1.5.x dependencies:
Let me know if you have any questions.
Harsh
More information about the pkg-java-maintainers
mailing list