8.5

CVE-2021-42550

Exploit

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QosLogback Version <= 1.2.7
QosLogback Version1.3.0 Updatealpha0
QosLogback Version1.3.0 Updatealpha1
QosLogback Version1.3.0 Updatealpha10
QosLogback Version1.3.0 Updatealpha2
QosLogback Version1.3.0 Updatealpha3
QosLogback Version1.3.0 Updatealpha4
QosLogback Version1.3.0 Updatealpha5
QosLogback Version1.3.0 Updatealpha6
QosLogback Version1.3.0 Updatealpha7
QosLogback Version1.3.0 Updatealpha8
QosLogback Version1.3.0 Updatealpha9
RedhatSatellite Version6.0
NetappCloud Manager Version-
SiemensSinec Nms Version < 1.0.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.29% 0.884
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.6 0.7 5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 8.5 6.8 10
AV:N/AC:M/Au:S/C:C/I:C/A:C
vulnerability@ncsc.ch 6.6 0.7 5.9
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://seclists.org/fulldisclosure/2022/Jul/11
Third Party Advisory
Mailing List
https://github.com/cn-panda/logbackRceDemo
Third Party Advisory
Exploit
https://jira.qos.ch/browse/LOGBACK-1591
Patch
Third Party Advisory
Exploit
Issue Tracking