Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-12798

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
19/12/2024
Last modified:
15/04/2026

Description

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core<br /> upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows<br /> attacker to execute arbitrary code by compromising an existing<br /> logback configuration file or by injecting an environment variable<br /> before program execution.<br /> <br /> <br /> <br /> <br /> <br /> Malicious logback configuration files can allow the attacker to execute <br /> arbitrary code using the JaninoEventEvaluator extension.<br /> <br /> <br /> <br /> A successful attack requires the user to have write access to a <br /> configuration file. Alternatively, the attacker could inject a malicious <br /> environment variable pointing to a malicious configuration file. In both <br /> cases, the attack requires existing privilege.

Impact

Vector 4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear CVSS v4.0 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear

Attack Vector (AV): Local
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): Passsive
Confidentiality (VC): Low
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): Low
Integrity (SI): High
Availability (SA): Low
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Clear

Base Score 4.0
5.90
Severity 4.0
MEDIUM

References to Advisories, Solutions, and Tools