Source: logback Version: 1:1.2.11-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for logback. CVE-2024-12798[0]: | ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core | upto and including version 1.5.12 in Java applications allows | attacker to execute arbitrary code by compromising an existing | logback configuration file or by injecting an environment variable | before program execution. Malicious logback configuration files | can allow the attacker to execute arbitrary code using the | JaninoEventEvaluator extension. A successful attack requires the | user to have write access to a configuration file. Alternatively, | the attacker could inject a malicious environment variable pointing | to a malicious configuration file. In both cases, the attack | requires existing privilege. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-12798 https://www.cve.org/CVERecord?id=CVE-2024-12798 [1] https://logback.qos.ch/news.html#1.5.13 [2] https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
