CVE-2026-1225

Gravedad CVSS v4.0:

BAJA

Tipo:

CWE-20 Validación incorrecta de entrada

Fecha de publicación:

22/01/2026

Última modificación:

22/01/2026

Descripción

*** Pendiente de traducción *** ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user&#39;s class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Impacto

Vector 4.0

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green CVSS v4.0 Severidad y Métricas:

Puntuación base: 1.80 BAJA
Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/RE:M/U:Green

Vector de acceso (AV): Local
Complejidad de acceso (AC): Alto
Attack Requirements (AT): Present
Privilegios Requeridos (PR): Alto
Interacción del usuario (UI): Ninguno
Confidentiality (VC): Bajo
Integrity (VI): Bajo
Availability (VA): Bajo
Confidentiality (SC): Bajo
Integrity (SI): Bajo
Availability (SA): Bajo
Safety (S): Negligible
Automatable (AU): No
Vulnerability Response Effort (RE): Moderate
Provider Urgency (U): Verde

Puntuación base 4.0

1.80

Gravedad 4.0

BAJA

Referencias a soluciones, herramientas e información

https://logback.qos.ch/news.html#1.5.25