Source: logback Version: 1:1.2.11-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for logback. CVE-2024-12801[0]: | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH | logback version 1.5.12 on the Java platform, allows an attacker to | forge requests by compromising logback configuration files in XML. | The attacks involves the modification of DOCTYPE declaration inĀ XML | configuration files. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-12801 https://www.cve.org/CVERecord?id=CVE-2024-12801 [1] https://logback.qos.ch/news.html#1.5.13 [2] https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
