CVE-2024-12801
EPSS 0.06%QOS.CH logback-core Server-Side Request Forgery vulnerability
Published: 12/19/2024Modified: 4/28/2026
Description
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Affected packages (2)
- Debian/logbackfrom 0
- Maven/ch.qos.logback:logback-core>= 1.4.0, < 1.5.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-12801
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-12801
- PATCHhttps://github.com/qos-ch/logback
- WEBhttps://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
- WEBhttps://logback.qos.ch/news.html#1.3.15
- WEBhttps://logback.qos.ch/news.html#1.5.13