CVE-2021-42550
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
16/12/2021
Last modified:
12/12/2022
Description
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Impact
Base Score 3.x
6.60
Severity 3.x
MEDIUM
Base Score 2.0
8.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:qos:logback:*:*:*:*:*:*:*:* | 1.2.7 (including) | |
| cpe:2.3:a:qos:logback:1.3.0:alpha0:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha1:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha10:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha2:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha3:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha4:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha5:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha6:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha7:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha8:*:*:*:*:*:* | ||
| cpe:2.3:a:qos:logback:1.3.0:alpha9:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://logback.qos.ch/news.html
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- http://seclists.org/fulldisclosure/2022/Jul/11
- https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
- https://github.com/cn-panda/logbackRceDemo
- https://jira.qos.ch/browse/LOGBACK-1591
- https://security.netapp.com/advisory/ntap-20211229-0001/