Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-12798

Good to know:

icon
icon

Date: December 19, 2024

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Language: Java

Severity Score

Related Resources (6)

https://logback.qos.ch/news.html#1.5.13
https://github.com/qos-ch/logback
https://logback.qos.ch/news.html#1.3.15
https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183
https://nvd.nist.gov/vuln/detail/CVE-2024-12798
https://www.mend.io/vulnerability-database/CVE-2024-12798

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

Top Fix

icon

Upgrade Version

Upgrade to version ch.qos.logback:logback-core:1.3.15;ch.qos.logback:logback-core:1.5.13

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): HIGH
Availability (A): LOW

Do you need more information?

Contact Us