csaf_suse - suse-su-2025:0072-1

SUSE-SU-2025:0072-1

Vulnerability from csaf_suse - Published: 2025-01-10 18:33 - Updated: 2025-01-10 18:33

Summary

Security update for logback

Notes

Title of the patch

Security update for logback

Description of the patch

This update for logback fixes the following issues: - CVE-2024-12798: Fixed arbitrary code execution via JaninoEventEvaluator (bsc#1234742) - CVE-2024-12801: Fixed Server-Side Request Forgery in SaxEventRecorder (bsc#1234743)

Patchnames

SUSE-2025-72,openSUSE-SLE-15.6-2025-72

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for logback",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for logback fixes the following issues:\n\n- CVE-2024-12798: Fixed arbitrary code execution via JaninoEventEvaluator (bsc#1234742)\n- CVE-2024-12801: Fixed Server-Side Request Forgery in SaxEventRecorder (bsc#1234743)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-72,openSUSE-SLE-15.6-2025-72",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_0072-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:0072-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20250072-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:0072-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020093.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1234742",
        "url": "https://bugzilla.suse.com/1234742"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1234743",
        "url": "https://bugzilla.suse.com/1234743"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-12798 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-12798/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-12801 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-12801/"
      }
    ],
    "title": "Security update for logback",
    "tracking": {
      "current_release_date": "2025-01-10T18:33:33Z",
      "generator": {
        "date": "2025-01-10T18:33:33Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:0072-1",
      "initial_release_date": "2025-01-10T18:33:33Z",
      "revision_history": [
        {
          "date": "2025-01-10T18:33:33Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "logback-1.2.11-150200.3.10.1.noarch",
                "product": {
                  "name": "logback-1.2.11-150200.3.10.1.noarch",
                  "product_id": "logback-1.2.11-150200.3.10.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "logback-access-1.2.11-150200.3.10.1.noarch",
                "product": {
                  "name": "logback-access-1.2.11-150200.3.10.1.noarch",
                  "product_id": "logback-access-1.2.11-150200.3.10.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "logback-examples-1.2.11-150200.3.10.1.noarch",
                "product": {
                  "name": "logback-examples-1.2.11-150200.3.10.1.noarch",
                  "product_id": "logback-examples-1.2.11-150200.3.10.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "logback-javadoc-1.2.11-150200.3.10.1.noarch",
                "product": {
                  "name": "logback-javadoc-1.2.11-150200.3.10.1.noarch",
                  "product_id": "logback-javadoc-1.2.11-150200.3.10.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logback-1.2.11-150200.3.10.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch"
        },
        "product_reference": "logback-1.2.11-150200.3.10.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logback-access-1.2.11-150200.3.10.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch"
        },
        "product_reference": "logback-access-1.2.11-150200.3.10.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logback-examples-1.2.11-150200.3.10.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch"
        },
        "product_reference": "logback-examples-1.2.11-150200.3.10.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logback-javadoc-1.2.11-150200.3.10.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
        },
        "product_reference": "logback-javadoc-1.2.11-150200.3.10.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12798",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-12798"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and  1.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-12798",
          "url": "https://www.suse.com/security/cve/CVE-2024-12798"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234742 for CVE-2024-12798",
          "url": "https://bugzilla.suse.com/1234742"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-10T18:33:33Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-12798"
    },
    {
      "cve": "CVE-2024-12801",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-12801"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12   on the Java platform, allows an attacker to \nforge requests by compromising logback configuration files in XML.\n\n\n\nThe attacks involves the modification of DOCTYPE declaration in   XML configuration files.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
          "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-12801",
          "url": "https://www.suse.com/security/cve/CVE-2024-12801"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234743 for CVE-2024-12801",
          "url": "https://bugzilla.suse.com/1234743"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.6:logback-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-access-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-examples-1.2.11-150200.3.10.1.noarch",
            "openSUSE Leap 15.6:logback-javadoc-1.2.11-150200.3.10.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-10T18:33:33Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-12801"
    }
  ]
}

CVE-2024-12801 (GCVE-0-2024-12801)

Vulnerability from cvelistv5 – Published: 2024-12-19 16:11 – Updated: 2025-01-03 13:40

Summary

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.

Severity ?

2.4 (Low)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

NCSC.ch

References

URL

Tags

	https://logback.qos.ch/news.html#1.5.13
	https://logback.qos.ch/news.html#1.3.15

Impacted products

	Vendor	Product	Version
	QOS.CH Sarl	logback	Affected: 0.1 , ≤ 1.3.14 (maven) Affected: 1.4.0 , ≤ 1.5.12 (maven) Unaffected: 1.3.15 Unaffected: 1.5.13

Credits

7asecurity

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12801",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-20T20:15:51.883590Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-20T20:16:07.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "XML configuration component"
          ],
          "platforms": [
            "Java"
          ],
          "product": "logback",
          "vendor": "QOS.CH Sarl",
          "versions": [
            {
              "lessThanOrEqual": "1.3.14",
              "status": "affected",
              "version": "0.1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "1.5.12",
              "status": "affected",
              "version": "1.4.0",
              "versionType": "maven"
            },
            {
              "status": "unaffected",
              "version": "1.3.15"
            },
            {
              "status": "unaffected",
              "version": "1.5.13"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The attacker needs to access and write to logback configuration files. Alternatively, the attacker needs to be able to force the use of a malicious logback configuration file at application start.\u003cbr\u003e"
            }
          ],
          "value": "The attacker needs to access and write to logback configuration files. Alternatively, the attacker needs to be able to force the use of a malicious logback configuration file at application start."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "7asecurity"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eServer-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12\u0026nbsp; on the Java platform, allows an attacker to \nforge requests by compromising logback configuration files in XML.\n\n\u003cbr\u003e\u003cbr\u003eThe attacks involves the modification of DOCTYPE declaration in\u0026nbsp; XML configuration files.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12\u00a0 on the Java platform, allows an attacker to \nforge requests by compromising logback configuration files in XML.\n\n\n\nThe attacks involves the modification of DOCTYPE declaration in\u00a0 XML configuration files."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No known existing exploitation.\u003cbr\u003e"
            }
          ],
          "value": "No known existing exploitation."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-212",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-212 Functionality Misuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-03T13:40:41.135Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "url": "https://logback.qos.ch/news.html#1.5.13"
        },
        {
          "url": "https://logback.qos.ch/news.html#1.3.15"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to logback version 1.5.13 or later. If you are using the 1.3.x \nseries, update to logback version 1.3.15 or later. Note that the 1.4.x \nseries remains vulnerable.\n\u003cbr\u003e"
            }
          ],
          "value": "Update to logback version 1.5.13 or later. If you are using the 1.3.x \nseries, update to logback version 1.3.15 or later. Note that the 1.4.x \nseries remains vulnerable."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to logback version 1.5.13 or later. If you are using the 1.3.x \nseries, update to logback version 1.3.15 or later. Note that the 1.4.x \nseries remains vulnerable."
            }
          ],
          "value": "Update to logback version 1.5.13 or later. If you are using the 1.3.x \nseries, update to logback version 1.3.15 or later. Note that the 1.4.x \nseries remains vulnerable."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2024-12801",
    "datePublished": "2024-12-19T16:11:50.044Z",
    "dateReserved": "2024-12-19T16:09:59.761Z",
    "dateUpdated": "2025-01-03T13:40:41.135Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-12798 (GCVE-0-2024-12798)

Vulnerability from cvelistv5 – Published: 2024-12-19 15:14 – Updated: 2025-01-03 13:38

Summary

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Severity ?

5.9 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear

CWE

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Assigner

NCSC.ch

References

URL

Tags

	https://logback.qos.ch/news.html#1.5.13
	https://logback.qos.ch/news.html#1.3.15

Impacted products

	Vendor	Product	Version
	QOS.CH Sarl	Logback-core	Affected: 0.1 , ≤ 1.3.14 (maven) Affected: 1.4.0 , ≤ 1.5.12 (maven) Unaffected: 1.3.15 Unaffected: 1.5.13

Credits

7asecurity

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-20T20:17:18.406704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-20T20:17:33.360Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "logback-core"
          ],
          "product": "Logback-core",
          "vendor": "QOS.CH Sarl",
          "versions": [
            {
              "lessThanOrEqual": "1.3.14",
              "status": "affected",
              "version": "0.1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "1.5.12",
              "status": "affected",
              "version": "1.4.0",
              "versionType": "maven"
            },
            {
              "status": "unaffected",
              "version": "1.3.15"
            },
            {
              "status": "unaffected",
              "version": "1.5.13"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "7asecurity"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u0026nbsp;1.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\u003cbr\u003e\n\u003cbr\u003eA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core\n      upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n      attacker to execute arbitrary code by compromising an existing\n      logback configuration file or by injecting an environment variable\n      before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No known exploitation\u003cbr\u003e"
            }
          ],
          "value": "No known exploitation"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-917",
              "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-03T13:38:58.152Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "url": "https://logback.qos.ch/news.html#1.5.13"
        },
        {
          "url": "https://logback.qos.ch/news.html#1.3.15"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "JaninoEventEvaluator\u00a0vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
            }
          ],
          "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2024-12798",
    "datePublished": "2024-12-19T15:14:21.598Z",
    "dateReserved": "2024-12-19T14:21:00.178Z",
    "dateUpdated": "2025-01-03T13:38:58.152Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2025:0072-1

CVE-2024-12801 (GCVE-0-2024-12801)

CVE-2024-12798 (GCVE-0-2024-12798)

Tags

Sightings

Nomenclature