Details
-
Type:
Sub-task
-
Status: Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: 1.2.8
-
Fix Version/s: None
-
Component/s: logback-classic, logback-core
-
Labels:
Description
Hello friend! Similar to CVE-2021-4104, in logback's SMTPAppender, it is possible to override the configuration to enable sessionViaJNDI and specify jndiLocation as a malicious jndi server, leading to jndi injection and even RCE. more details in the attached pdf