> Morever this demo is incomplete because there is no code how launches the calculator. In fact, I deliberately omitted this point because I default that others know what's going on. you can get: https://github.com/welk1n/JNDI-Injection-Exploit Then you can get an LDAP address loaded with malicious attack payload The function of this attack payload is to open the calculator. I read other comments. In fact, I agree with them, because the demo I wrote has an arbitrary file upload vulnerability. The premise of using logback configuration file JNDI injection is that you can modify it and make it effective, which is very difficult in the actual scene. However, as I said before, under special circumstances, the configuration file of logback may be used. My project is only a demonstration, and there are other possible scenarios, depending on the imagination of the attacker. Before I submitted the report to Ceki Gülcü, I thought it was not a vulnerability and tried to exchange views with him. However, Red Hat issued a [CVE](https://access.redhat.com/security/cve/CVE-2021-4104) announcement, So I think, by contrast, logback has the same problem, but the severity of the problem is low. After all, the parameters of the configuration file do not come from user input like log4shell. In fact, my suggestion is to retain the usage similar to `Java:comp/env/context/basename`. After all, it takes effect in many configuration files, and the security cannot affect the stability of the business. |