VulnerableCode Package Details - pkg:deb/debian/logback@1:1.2.11-3?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
VCID-kfd6-e5jj-fkht Aliases: CVE-2023-6378 GHSA-vmq6-5m68-f53m	logback serialization vulnerability A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html	1:1.2.11-5 Affected by 0 other vulnerabilities. 1:1.2.11-6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kfd6-e5jj-fkht
Aliases:
CVE-2023-6378
GHSA-vmq6-5m68-f53m

logback serialization vulnerability A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html

1:1.2.11-5
Affected by 0 other vulnerabilities.

1:1.2.11-6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-24ma-xwcb-uud9	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution. A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges.	CVE-2025-11226 GHSA-25qh-j22f-pwp8
VCID-2y5d-qg7z-2kdg	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.	CVE-2017-5929 GHSA-vmfg-rjjm-rjrj
VCID-6f98-j1tr-zfcm	Deserialization of Untrusted Data In logback version 1.2.9 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.	CVE-2021-42550 GHSA-668q-qrv7-99fm
VCID-khac-mqdh-hqd7	Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.	CVE-2023-6481 GHSA-gm62-rw4g-vrc4

Vulnerability

Summary

Aliases

VCID-24ma-xwcb-uud9

QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution. A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges.

CVE-2025-11226
GHSA-25qh-j22f-pwp8

VCID-2y5d-qg7z-2kdg

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

CVE-2017-5929
GHSA-vmfg-rjjm-rjrj

VCID-6f98-j1tr-zfcm

Deserialization of Untrusted Data In logback version 1.2.9 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

CVE-2021-42550
GHSA-668q-qrv7-99fm

VCID-khac-mqdh-hqd7

Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

CVE-2023-6481
GHSA-gm62-rw4g-vrc4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:30:53.351386+00:00	Debian Importer	Fixing	VCID-2y5d-qg7z-2kdg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:50:20.388006+00:00	Debian Importer	Fixing	VCID-24ma-xwcb-uud9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:51:50.843416+00:00	Debian Importer	Fixing	VCID-khac-mqdh-hqd7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:34:09.818733+00:00	Debian Importer	Fixing	VCID-2y5d-qg7z-2kdg	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:34:34.749788+00:00	Debian Importer	Fixing	VCID-24ma-xwcb-uud9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:57:09.265224+00:00	Debian Importer	Fixing	VCID-khac-mqdh-hqd7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:45:17.894257+00:00	Debian Importer	Fixing	VCID-24ma-xwcb-uud9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:45:17.829164+00:00	Debian Importer	Fixing	VCID-khac-mqdh-hqd7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:45:17.796146+00:00	Debian Importer	Affected by	VCID-kfd6-e5jj-fkht	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:45:17.753220+00:00	Debian Importer	Fixing	VCID-6f98-j1tr-zfcm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:45:17.707413+00:00	Debian Importer	Fixing	VCID-2y5d-qg7z-2kdg	https://security-tracker.debian.org/tracker/data/json	38.1.0