NVD

Vulnerability Change Records for CVE-2024-12798

Change History

CVE Modified by Switzerland Government Common Vulnerability Program 1/03/2025 9:15:24 AM

Action

Type

Old Value

New Value

Changed

Description

ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core
      upto and including version 1.5.12 in Java applications allows
      attacker to execute arbitrary code by compromising an existing
      logback configuration file or by injecting an environment variable
      before program execution.





Malicious logback configuration files can allow the attacker to execute 
arbitrary code using the JaninoEventEvaluator extension.



A successful attack requires the user to have write access to a 
configuration file. Alternatively, the attacker could inject a malicious 
environment variable pointing to a malicious configuration file. In both 
cases, the attack requires existing privilege.

ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core
      upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
      attacker to execute arbitrary code by compromising an existing
      logback configuration file or by injecting an environment variable
      before program execution.





Malicious logback configuration files can allow the attacker to execute 
arbitrary code using the JaninoEventEvaluator extension.



A successful attack requires the user to have write access to a 
configuration file. Alternatively, the attacker could inject a malicious 
environment variable pointing to a malicious configuration file. In both 
cases, the attack requires existing privilege.

Added

Reference

https://logback.qos.ch/news.html#1.3.15

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Vulnerability Change Records for CVE-2024-12798

Change History

CVE Modified by Switzerland Government Common Vulnerability Program 1/03/2025 9:15:24 AM