Search criteria
8 vulnerabilities found for logback by qos
CVE-2023-6481 (GCVE-0-2023-6481)
Vulnerability from nvd – Published: 2023-12-04 08:35 – Updated: 2024-08-02 08:28
VLAI?
Title
Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
Summary
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Severity ?
7.1 (High)
CWE
- Denial-of-service using poisoned data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QOS.CH Sarl | logback |
Unaffected:
1.4.14
Unaffected: 1.3.14 Unaffected: 1.2.13 |
Credits
Yakov Shafranovich, Amazon Web Services
Camilo Aparecido Ferri Moreira
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logback receiver"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "logback",
"repo": "https://github.com/qos-ch/logback",
"vendor": "QOS.CH Sarl",
"versions": [
{
"status": "unaffected",
"version": "1.4.14"
},
{
"status": "unaffected",
"version": "1.3.14"
},
{
"status": "unaffected",
"version": "1.2.13"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cpre\u003eThe attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\u003cbr\u003eOnly environments where logback receiver is deployed are vulnerable. \u003cbr\u003e\u003c/pre\u003e\n\n"
}
],
"value": "The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\nOnly environments where logback receiver is deployed are vulnerable. \n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yakov Shafranovich, Amazon Web Services"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Camilo Aparecido Ferri Moreira"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u0026nbsp;1.3.13 and\u0026nbsp;1.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u00a01.3.13 and\u00a01.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Excessive CPU or memory usage on the host where a logback receiver component is deployed"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service using poisoned data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T08:35:44.396Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"url": "https://logback.qos.ch/news.html#1.3.14"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability.\u003cbr\u003e\u003cbr\u003eIf you do not need to deploy logback-receiver, then please verify that you do not have any \u0026lt;receiver\u0026gt;\u0026lt;/receiver\u0026gt; entries in your configuration files.\u003cbr\u003e"
}
],
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability.\n\nIf you do not need to deploy logback-receiver, then please verify that you do not have any \u003creceiver\u003e\u003c/receiver\u003e entries in your configuration files.\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Logback \"receiver\" DOS vulnerability CVE-2023-6378 incomplete fix",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Logback versions 1.2.13 and later, 1.3.14 \nand later\u0026nbsp; or 1.4.14 \nand later\n\nprovides fixes. However, please note that these fixes are only effective when deployed under Java 9 or later.\u003cbr\u003e"
}
],
"value": "Logback versions 1.2.13 and later, 1.3.14 \nand later\u00a0 or 1.4.14 \nand later\n\nprovides fixes. However, please note that these fixes are only effective when deployed under Java 9 or later.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-6481",
"datePublished": "2023-12-04T08:35:44.396Z",
"dateReserved": "2023-12-04T08:34:29.742Z",
"dateUpdated": "2024-08-02T08:28:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6378 (GCVE-0-2023-6378)
Vulnerability from nvd – Published: 2023-11-29 12:02 – Updated: 2024-11-29 12:04
VLAI?
Title
Logback "receiver" DOS vulnerability
Summary
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Severity ?
7.1 (High)
CWE
- Denial-of-service using poisoned data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QOS.CH Sarl | logback |
Unaffected:
1.4.12
Unaffected: 1.3.12 Unaffected: 1.2.13 |
Credits
Yakov Shafranovich, Amazon Web Services
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-29T12:04:40.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241129-0012/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:51:31.895829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:55:50.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logback receiver"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "logback",
"repo": "https://github.com/qos-ch/logback",
"vendor": "QOS.CH Sarl",
"versions": [
{
"status": "unaffected",
"version": "1.4.12"
},
{
"status": "unaffected",
"version": "1.3.12"
},
{
"status": "unaffected",
"version": "1.2.13"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cpre\u003eThe attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\u003c/pre\u003e\n\n\u003cbr\u003e"
}
],
"value": "The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yakov Shafranovich, Amazon Web Services"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Excessive CPU or memory usage on the host where a logback receiver component is deployed"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service using poisoned data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-05T08:57:52.168Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.3.12"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.\u003cbr\u003e"
}
],
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Logback \"receiver\" DOS vulnerability ",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver is deployed are vulnerable. \u003cbr\u003e"
}
],
"value": "Only environments where logback receiver is deployed are vulnerable. \n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-6378",
"datePublished": "2023-11-29T12:02:37.496Z",
"dateReserved": "2023-11-29T10:18:07.523Z",
"dateUpdated": "2024-11-29T12:04:40.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42550 (GCVE-0-2021-42550)
Vulnerability from nvd – Published: 2021-12-16 00:00 – Updated: 2024-08-04 03:38
VLAI?
Title
RCE from attacker with configuration edit priviledges through JNDI lookup
Summary
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Severity ?
6.6 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://logback.qos.ch/news.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cn-panda/logbackRceDemo"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.qos.ch/browse/LOGBACK-1591"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211229-0001/"
},
{
"name": "20220721 Open-Xchange Security Advisory 2022-07-21",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "logback",
"vendor": "QOS.ch",
"versions": [
{
"lessThan": "1.2.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.3.0-alpha11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-08T00:00:00",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "http://logback.qos.ch/news.html"
},
{
"url": "https://github.com/cn-panda/logbackRceDemo"
},
{
"url": "https://jira.qos.ch/browse/LOGBACK-1591"
},
{
"url": "https://security.netapp.com/advisory/ntap-20211229-0001/"
},
{
"name": "20220721 Open-Xchange Security Advisory 2022-07-21",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade to \u003e=1.2.9 or \u003e=1.3.0-alpha11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "RCE from attacker with configuration edit priviledges through JNDI lookup ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2021-42550",
"datePublished": "2021-12-16T00:00:00",
"dateReserved": "2021-10-15T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5929 (GCVE-0-2017-5929)
Vulnerability from nvd – Published: 2017-03-13 06:14 – Updated: 2024-08-05 15:18
VLAI?
Summary
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:48.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-23T15:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"name": "https://logback.qos.ch/news.html",
"refsource": "CONFIRM",
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5929",
"datePublished": "2017-03-13T06:14:00",
"dateReserved": "2017-02-07T00:00:00",
"dateUpdated": "2024-08-05T15:18:48.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6481 (GCVE-0-2023-6481)
Vulnerability from cvelistv5 – Published: 2023-12-04 08:35 – Updated: 2024-08-02 08:28
VLAI?
Title
Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
Summary
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Severity ?
7.1 (High)
CWE
- Denial-of-service using poisoned data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QOS.CH Sarl | logback |
Unaffected:
1.4.14
Unaffected: 1.3.14 Unaffected: 1.2.13 |
Credits
Yakov Shafranovich, Amazon Web Services
Camilo Aparecido Ferri Moreira
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:28:21.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logback receiver"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "logback",
"repo": "https://github.com/qos-ch/logback",
"vendor": "QOS.CH Sarl",
"versions": [
{
"status": "unaffected",
"version": "1.4.14"
},
{
"status": "unaffected",
"version": "1.3.14"
},
{
"status": "unaffected",
"version": "1.2.13"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cpre\u003eThe attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\u003cbr\u003eOnly environments where logback receiver is deployed are vulnerable. \u003cbr\u003e\u003c/pre\u003e\n\n"
}
],
"value": "The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\nOnly environments where logback receiver is deployed are vulnerable. \n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yakov Shafranovich, Amazon Web Services"
},
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Camilo Aparecido Ferri Moreira"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u0026nbsp;1.3.13 and\u0026nbsp;1.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.13,\u00a01.3.13 and\u00a01.2.12 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Excessive CPU or memory usage on the host where a logback receiver component is deployed"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service using poisoned data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T08:35:44.396Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"url": "https://logback.qos.ch/news.html#1.3.14"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability.\u003cbr\u003e\u003cbr\u003eIf you do not need to deploy logback-receiver, then please verify that you do not have any \u0026lt;receiver\u0026gt;\u0026lt;/receiver\u0026gt; entries in your configuration files.\u003cbr\u003e"
}
],
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.14, 1.3.14, 1.2.13 or later will remedy the vulnerability.\n\nIf you do not need to deploy logback-receiver, then please verify that you do not have any \u003creceiver\u003e\u003c/receiver\u003e entries in your configuration files.\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Logback \"receiver\" DOS vulnerability CVE-2023-6378 incomplete fix",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Logback versions 1.2.13 and later, 1.3.14 \nand later\u0026nbsp; or 1.4.14 \nand later\n\nprovides fixes. However, please note that these fixes are only effective when deployed under Java 9 or later.\u003cbr\u003e"
}
],
"value": "Logback versions 1.2.13 and later, 1.3.14 \nand later\u00a0 or 1.4.14 \nand later\n\nprovides fixes. However, please note that these fixes are only effective when deployed under Java 9 or later.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-6481",
"datePublished": "2023-12-04T08:35:44.396Z",
"dateReserved": "2023-12-04T08:34:29.742Z",
"dateUpdated": "2024-08-02T08:28:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6378 (GCVE-0-2023-6378)
Vulnerability from cvelistv5 – Published: 2023-11-29 12:02 – Updated: 2024-11-29 12:04
VLAI?
Title
Logback "receiver" DOS vulnerability
Summary
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Severity ?
7.1 (High)
CWE
- Denial-of-service using poisoned data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QOS.CH Sarl | logback |
Unaffected:
1.4.12
Unaffected: 1.3.12 Unaffected: 1.2.13 |
Credits
Yakov Shafranovich, Amazon Web Services
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-29T12:04:40.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://logback.qos.ch/news.html#1.3.12"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241129-0012/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T17:51:31.895829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T17:55:50.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"logback receiver"
],
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "logback",
"repo": "https://github.com/qos-ch/logback",
"vendor": "QOS.CH Sarl",
"versions": [
{
"status": "unaffected",
"version": "1.4.12"
},
{
"status": "unaffected",
"version": "1.3.12"
},
{
"status": "unaffected",
"version": "1.2.13"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\u003cpre\u003eThe attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\u003c/pre\u003e\n\n\u003cbr\u003e"
}
],
"value": "The attacker needs to be able to feed poisoned data to a logback receiver. Thus, the attacker needs to connect to a logback receiver which can be a significant hurdle in itself.\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Yakov Shafranovich, Amazon Web Services"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nA serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"value": "A serialization vulnerability in logback receiver component part of \nlogback version 1.4.11 allows an attacker to mount a Denial-Of-Service \nattack by sending poisoned data.\n\n"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Excessive CPU or memory usage on the host where a logback receiver component is deployed"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial-of-service using poisoned data",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-05T08:57:52.168Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://logback.qos.ch/news.html#1.3.12"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.\u003cbr\u003e"
}
],
"value": "Only environments where logback receiver component is deployed may be vulnerable.\n In case a logback receiver is deployed, restricting connections to \ntrustworthy clients or upgrading to logback version 1.4.12 or later will remedy the vulnerability.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Logback \"receiver\" DOS vulnerability ",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Only environments where logback receiver is deployed are vulnerable. \u003cbr\u003e"
}
],
"value": "Only environments where logback receiver is deployed are vulnerable. \n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2023-6378",
"datePublished": "2023-11-29T12:02:37.496Z",
"dateReserved": "2023-11-29T10:18:07.523Z",
"dateUpdated": "2024-11-29T12:04:40.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42550 (GCVE-0-2021-42550)
Vulnerability from cvelistv5 – Published: 2021-12-16 00:00 – Updated: 2024-08-04 03:38
VLAI?
Title
RCE from attacker with configuration edit priviledges through JNDI lookup
Summary
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Severity ?
6.6 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:38:49.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://logback.qos.ch/news.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cn-panda/logbackRceDemo"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.qos.ch/browse/LOGBACK-1591"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211229-0001/"
},
{
"name": "20220721 Open-Xchange Security Advisory 2022-07-21",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "logback",
"vendor": "QOS.ch",
"versions": [
{
"lessThan": "1.2.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "1.3.0-alpha11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-08T00:00:00",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "http://logback.qos.ch/news.html"
},
{
"url": "https://github.com/cn-panda/logbackRceDemo"
},
{
"url": "https://jira.qos.ch/browse/LOGBACK-1591"
},
{
"url": "https://security.netapp.com/advisory/ntap-20211229-0001/"
},
{
"name": "20220721 Open-Xchange Security Advisory 2022-07-21",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Jul/11"
},
{
"url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "upgrade to \u003e=1.2.9 or \u003e=1.3.0-alpha11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "RCE from attacker with configuration edit priviledges through JNDI lookup ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2021-42550",
"datePublished": "2021-12-16T00:00:00",
"dateReserved": "2021-10-15T00:00:00",
"dateUpdated": "2024-08-04T03:38:49.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5929 (GCVE-0-2017-5929)
Vulnerability from cvelistv5 – Published: 2017-03-13 06:14 – Updated: 2024-08-05 15:18
VLAI?
Summary
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:18:48.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-23T15:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9%40%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc%40%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790%40%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2%40%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6%40%3Ccommits.cassandra.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "RHSA-2017:1675",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1675"
},
{
"name": "RHSA-2018:2927",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"name": "https://logback.qos.ch/news.html",
"refsource": "CONFIRM",
"url": "https://logback.qos.ch/news.html"
},
{
"name": "RHSA-2017:1676",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1676"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Created] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191112 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20191113 [jira] [Created] (CASSANDRA-15421) CVE-2017-5929(QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201202 [GitHub] [mnemonic] yzz127 opened a new pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-dev] 20201204 [GitHub] [mnemonic] bigdata-memory merged pull request #152: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E"
},
{
"name": "[mnemonic-commits] 20201204 [mnemonic] branch master updated: MNEMONIC-553: Fix for CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210108 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Commented] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15411) [9.8] [CVE-2017-5929] [Cassandra] [2.2.5]",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15421) CVE-2017-5929 in 3.11.x (QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Assigned] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210111 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E"
},
{
"name": "[cassandra-commits] 20210923 [jira] [Updated] (CASSANDRA-15829) Upgrade to logback 1.2.3 to address CVE-2017-5929",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5929",
"datePublished": "2017-03-13T06:14:00",
"dateReserved": "2017-02-07T00:00:00",
"dateUpdated": "2024-08-05T15:18:48.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}