Описание
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
A flaw was found in Logback. This flaw allows a privileged attacker with write access to modify Logback configuration files or inject a malicious environment variable to execute arbitrary code via the JaninoEventEvaluator extension.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | ch.qos.logback/logback-core | Fix deferred | ||
| A-MQ Clients 2 | ch.qos.logback/logback-core | Affected | ||
| Logging Subsystem for Red Hat OpenShift | ch.qos.logback/logback-core | Affected | ||
| Red Hat AMQ Broker 7 | ch.qos.logback/logback-core | Affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | ch.qos.logback/logback-core | Fix deferred | ||
| Red Hat build of Debezium 2 | ch.qos.logback/logback-core | Will not fix | ||
| Red Hat Build of Keycloak | ch.qos.logback/logback-core | Not affected | ||
| Red Hat build of OptaPlanner 8 | ch.qos.logback/logback-core | Fix deferred | ||
| Red Hat Data Grid 8 | ch.qos.logback/logback-core | Will not fix | ||
| Red Hat Fuse 7 | ch.qos.logback/logback-core | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...
QOS.CH logback-core Expression Language Injection vulnerability
Уязвимость модуля logback-core системы мониторинга QOS (Quality of Service), позволяющая нарушителю выполнить произвольный код
EPSS
5.5 Medium
CVSS3