Deserialization of Untrusted Data in logback

2021-12-1720:00:50

Google

osv.dev

0.016 Low

EPSS

Percentile

87.3%

JSON

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

CPENameOperatorVersion
ch.qos.logback:logback-coreeq0.9.1
ch.qos.logback:logback-coreeq0.9.9
ch.qos.logback:logback-coreeq0.3
ch.qos.logback:logback-coreeq0.9.20
ch.qos.logback:logback-coreeq1.2.4-groovyless
ch.qos.logback:logback-coreeq1.1.0
ch.qos.logback:logback-coreeq0.9.21
ch.qos.logback:logback-coreeq0.9.11
ch.qos.logback:logback-coreeq0.9.16
ch.qos.logback:logback-coreeq1.1.5

Name	Operator	Version
ch.qos.logback:logback-core	eq	0.9.1
ch.qos.logback:logback-core	eq	0.9.9
ch.qos.logback:logback-core	eq	0.3
ch.qos.logback:logback-core	eq	0.9.20
ch.qos.logback:logback-core	eq	1.2.4-groovyless
ch.qos.logback:logback-core	eq	1.1.0
ch.qos.logback:logback-core	eq	0.9.21
ch.qos.logback:logback-core	eq	0.9.11
ch.qos.logback:logback-core	eq	0.9.16
ch.qos.logback:logback-core	eq	1.1.5