#1091319 logback: CVE-2024-12798

Package:
src:logback
Source:
src:logback
Submitter:
Salvatore Bonaccorso
Date:
2025-07-29 14:03:01 UTC
Severity:
normal
Tags:
#1091319#5
Date:
2024-12-23 19:45:05 UTC
From:
To:
Hi,

The following vulnerability was published for logback.

CVE-2024-12798[0]:
| ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core
| upto and including version 1.5.12 in Java applications allows
| attacker to execute arbitrary code by compromising an existing
| logback configuration file or by injecting an environment variable
| before program execution.      Malicious logback configuration files
| can allow the attacker to execute  arbitrary code using the
| JaninoEventEvaluator extension.    A successful attack requires the
| user to have write access to a  configuration file. Alternatively,
| the attacker could inject a malicious  environment variable pointing
| to a malicious configuration file. In both  cases, the attack
| requires existing privilege.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-12798
https://www.cve.org/CVERecord?id=CVE-2024-12798
[1] https://logback.qos.ch/news.html#1.5.13
[2] https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1091319#10
Date:
2025-07-14 15:00:07 UTC
From:
To:
Hi,

I am working on a new update for the following CVEs in Logback.

  - CVE-2024-12801
  - CVE-2024-12798

My MR will be up shortly for review.

Regards,
Harsh
#1091319#15
Date:
2025-07-29 14:00:13 UTC
From:
To:
Hi Maintainer,

I have a new MR for both this CVE fix.
New upstream version 1.5.13 - MR Link:
https://salsa.debian.org/java-team/logback/-/merge_requests/8

Additional information

Fix: CVE-2024-12798 - ACE vulnerability in JaninoEventEvaluator by
QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to
1.5.12 in Java applications allows attacker to execute arbitrary code by
compromising an existing logback configuration file or by injecting an
environment variable before program execution. Malicious logback
configuration files can allow the attacker to execute arbitrary code
using the JaninoEventEvaluator extension. A successful attack requires
the user to have write access to a configuration file. Alternatively,
the attacker could inject a malicious environment variable pointing to a
malicious configuration file. In both cases, the attack requires
existing privilege.


Fix: CVE-2024-12801 - Server-Side Request Forgery (SSRF) in
SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to
1.5.12  on the Java platform, allows an attacker to forge requests by
compromising logback configuration files in XML. The attacks involves
the modification of DOCTYPE declaration in  XML configuration files.


On the 1.5.x series
The 1.5.x series is a direct descendant of and a drop-in replacement for
the 1.4.x series. It differs from the 1.4.x series by the relocation of
the logback-access module which was moved to its own separate github
repository.
Here is a summary of 1.5.x dependencies:

Let me know if you have any questions.

Harsh