CVE-2021-42550

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-42550

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42550.json

Aliases

GHSA-668q-qrv7-99fm

Related

RLSA-2022:5498

Published

2021-12-16T19:15:08Z

Modified

2023-11-29T09:05:01.716811Z

Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

References

http://logback.qos.ch/news.html
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
https://security.netapp.com/advisory/ntap-20211229-0001/
http://seclists.org/fulldisclosure/2022/Jul/11
https://github.com/cn-panda/logbackRceDemo
https://jira.qos.ch/browse/LOGBACK-1591
https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf

Affected packages

Git / github.com/qos-ch/logback

Affected ranges

Type: GIT
Repo: https://github.com/qos-ch/logback
Events: Introduced

0The exact introduced commit is unknown

Fixed

791680229b8644535b7b6e9b1aa8dc5ad1e17e0c

Affected versions

release_0.*

release_0.9.19

v0.*

v0.9.18

v0.9.20

v_0.*

v_0.9.21

v_0.9.22

v_0.9.23

v_0.9.24

v_0.9.25

v_0.9.26

v_0.9.27

v_0.9.28

v_0.9.29

v_0.9.30

v_1.*

v_1.0.0

v_1.0.1

v_1.0.2