Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.3.0-alpha10
-
Fix Version/s: 1.3.0-alpha11, 1.2.9
-
Component/s: logback-classic
-
Labels:None
-
Environment:
Android
com.github.tony19:logback-android : 2.0.0
org.slf4j:slf4j-api: 1.7.30
Description
Jira tickets are reserved for reporting bugs and not a support forum. Comments out of place will deleted.
CVE-2021-42550 has been assigned.
The vulnerability is considered to pose a lesser threat than log4shell because it requires access to logback's configuration file by the attacker, sign of an already compromised system.
This CVE-2021-42550 is intended to prevent an escalation of an existing flaw to a higher threat level.
Logback should not be a vector in making an RCE possible even as a stepping stone for the attacker exploiting a prior existing vulnerability (in a different part of the system).