#1091320 logback: CVE-2024-12801

Package:
src:logback
Source:
src:logback
Submitter:
Salvatore Bonaccorso
Date:
2025-07-29 14:11:01 UTC
Severity:
normal
Tags:
#1091320#5
Date:
2024-12-23 19:47:26 UTC
From:
To:
Hi,

The following vulnerability was published for logback.

CVE-2024-12801[0]:
| Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH
| logback version 1.5.12 on the Java platform, allows an attacker to
| forge requests by compromising logback configuration files in XML.
| The attacks involves the modification of DOCTYPE declaration in  XML
| configuration files.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-12801
https://www.cve.org/CVERecord?id=CVE-2024-12801
[1] https://logback.qos.ch/news.html#1.5.13
[2] https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d

Regards,
Salvatore
#1091320#10
Date:
2025-07-14 15:00:07 UTC
From:
To:
Hi,

I am working on a new update for the following CVEs in Logback.

  - CVE-2024-12801
  - CVE-2024-12798

My MR will be up shortly for review.

Regards,
Harsh
#1091320#15
Date:
2025-07-29 14:00:13 UTC
From:
To:
Hi Maintainer,

I have a new MR for both this CVE fix.
New upstream version 1.5.13 - MR Link:
https://salsa.debian.org/java-team/logback/-/merge_requests/8

Additional information

Fix: CVE-2024-12798 - ACE vulnerability in JaninoEventEvaluator by
QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to
1.5.12 in Java applications allows attacker to execute arbitrary code by
compromising an existing logback configuration file or by injecting an
environment variable before program execution. Malicious logback
configuration files can allow the attacker to execute arbitrary code
using the JaninoEventEvaluator extension. A successful attack requires
the user to have write access to a configuration file. Alternatively,
the attacker could inject a malicious environment variable pointing to a
malicious configuration file. In both cases, the attack requires
existing privilege.


Fix: CVE-2024-12801 - Server-Side Request Forgery (SSRF) in
SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to
1.5.12  on the Java platform, allows an attacker to forge requests by
compromising logback configuration files in XML. The attacks involves
the modification of DOCTYPE declaration in  XML configuration files.


On the 1.5.x series
The 1.5.x series is a direct descendant of and a drop-in replacement for
the 1.4.x series. It differs from the 1.4.x series by the relocation of
the logback-access module which was moved to its own separate github
repository.
Here is a summary of 1.5.x dependencies:

Let me know if you have any questions.

Harsh