Uploaded image for project: 'logback'
  1. logback
  2. LOGBACK-1591

Possibility of vulnerability - registered as CVE-2021-42550

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 1.3.0-alpha11, 1.2.9
    • 1.3.0-alpha10
    • logback-classic
    • None

    • Android

      com.github.tony19:logback-android : 2.0.0

      org.slf4j:slf4j-api: 1.7.30

       

    Description

      Jira tickets are reserved for reporting bugs and not a support forum. Comments out of place will be deleted.

      CVE-2021-42550 has been assigned.

      The vulnerability is considered to pose a lesser threat than log4shell because it requires access to logback's configuration file by the attacker, sign of an already compromised system.
      This CVE-2021-42550 is intended to prevent an escalation of an existing flaw to a higher threat level.

      Logback should not be a vector in making an RCE possible even as a stepping stone for the attacker exploiting a prior existing vulnerability (in a different part of the system).

       

      Attachments

        1. image-2021-12-15-10-32-29-094.png
          186 kB
        2. image-2021-12-17-11-29-43-936.png
          45 kB
        3. Screen Shot 2021-12-23 at 2.17.49 AM.png
          140 kB
        1.
        		 sessionViaJNDI function of SMTPAppender may suffers from jndi injections Sub-task Open Ceki Gülcü

        Activity

          People

            ceki Ceki Gülcü
            ceki Ceki Gülcü
            Votes:
            4 Vote for this issue
            Watchers:
            34 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: