Описание
Security update for logback
This update for logback fixes the following issues:
- CVE-2024-12798: Fixed arbitrary code execution via JaninoEventEvaluator (bsc#1234742)
- CVE-2024-12801: Fixed Server-Side Request Forgery in SaxEventRecorder (bsc#1234743)
Список пакетов
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:0072-1
- E-Mail link for SUSE-SU-2025:0072-1
- SUSE Security Ratings
- SUSE Bug 1234742
- SUSE Bug 1234743
- SUSE CVE CVE-2024-12798 page
- SUSE CVE CVE-2024-12801 page
Описание
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Затронутые продукты
Ссылки
- CVE-2024-12798
- SUSE Bug 1234742
Описание
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Затронутые продукты
Ссылки
- CVE-2024-12801
- SUSE Bug 1234743