Uploaded image for project: 'logback'
  1. logback
  2. LOGBACK-1591

Possibility of vulnerability - registered as CVE-2021-42550

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.0-alpha10
    • Fix Version/s: 1.3.0-alpha11, 1.2.9
    • Component/s: logback-classic
    • Labels:
      None
    • Environment:

      Android

      com.github.tony19:logback-android : 2.0.0

      org.slf4j:slf4j-api: 1.7.30

       

      Description

      Jira tickets are reserved for reporting bugs and not a support forum. Comments out of place will deleted.

      CVE-2021-42550 has been assigned.

      The vulnerability is considered to pose a lesser threat than log4shell because it requires access to logback's configuration file by the attacker, sign of an already compromised system.
      This CVE-2021-42550 is intended to prevent an escalation of an existing flaw to a higher threat level.

      Logback should not be a vector in making an RCE possible even as a stepping stone for the attacker exploiting a prior existing vulnerability (in a different part of the system).

       

        Attachments

          Activity

            People

            Assignee:
            ceki Ceki Gülcü
            Reporter:
            ceki Ceki Gülcü
            Votes:
            4 Vote for this issue
            Watchers:
            34 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: