Search for packages
| purl | pkg:maven/ch.qos.logback/logback-core@1.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-24ma-xwcb-uud9
Aliases: CVE-2025-11226 GHSA-25qh-j22f-pwp8 |
QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment variable before program execution. A successful attack requires the Janino library and Spring Framework to be present on the user's class path. Additionally, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privileges. |
Affected by 1 other vulnerability. |
|
VCID-7z5b-4xfw-27ar
Aliases: CVE-2024-12801 GHSA-6v67-2wr5-gvf4 |
QOS.CH logback-core Server-Side Request Forgery vulnerability Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. |
Affected by 1 other vulnerability. |
|
VCID-jrv7-8e72-pyhb
Aliases: CVE-2024-12798 GHSA-pr98-23f8-jwxv |
QOS.CH logback-core Expression Language Injection vulnerability ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. |
Affected by 1 other vulnerability. |
|
VCID-kfd6-e5jj-fkht
Aliases: CVE-2023-6378 GHSA-vmq6-5m68-f53m |
logback serialization vulnerability A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html |
Affected by 1 other vulnerability. |
|
VCID-pnxr-hj9y-yfd9
Aliases: CVE-2026-1225 GHSA-qqpg-mvqg-649v |
Logback allows an attacker to instantiate classes already present on the class path ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||