PT-2026-45408 · Unknown · Logback-Core
Published
2026-06-01
·
Updated
2026-06-01
·
CVE-2026-10532
CVSS v4.0
2.9
Low
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green |
Name of the Vulnerable Software and Affected Versions
logback-core versions prior to 1.5.34
Description
Deserialization of untrusted data in the
HardenedObjectInputStream module allows for Object Injection, although the impact is heavily restricted. An attacker capable of influencing serialized data sent to the 'SimpleSocketServer' or 'SimpleSSLSocketServer' endpoints can instantiate Proxy objects. This issue represents a bypass of intended security restrictions, though no practical method for remote code execution or significant privilege escalation has been identified.Recommendations
Update to a version later than 1.5.33.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Logback-Core