CVE-2024-12798

Name of the Vulnerable Software and Affected Versions logback-core versions 0.1 through 1.3.14 logback-core versions 1.4.0 through 1.5.12

Description The issue is related to the JaninoEventEvaluator extension in logback-core, which allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.

Recommendations For logback-core versions 0.1 through 1.3.14, consider disabling the JaninoEventEvaluator extension until a patch is available. For logback-core versions 1.4.0 through 1.5.12, consider disabling the JaninoEventEvaluator extension until a patch is available. As a temporary workaround, restrict access to configuration files to minimize the risk of exploitation. Avoid injecting environment variables that could point to malicious configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.