-
Notifications
You must be signed in to change notification settings - Fork 346
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e77dc6c
commit 0678eb2
Showing
4 changed files
with
130 additions
and
72 deletions.
There are no files selected for viewing
65 changes: 65 additions & 0 deletions
65
advisories/github-reviewed/2024/12/GHSA-6v67-2wr5-gvf4/GHSA-6v67-2wr5-gvf4.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-6v67-2wr5-gvf4", | ||
| "modified": "2024-12-19T22:22:44Z", | ||
| "published": "2024-12-19T18:31:37Z", | ||
| "aliases": [ | ||
| "CVE-2024-12801" | ||
| ], | ||
| "summary": "QOS.CH logback-core Server-Side Request Forgery vulnerability", | ||
| "details": "Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML.\n \nThe attacks involves the modification of DOCTYPE declaration in XML configuration files.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "ch.qos.logback:logback-core" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.15.13" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12801" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/qos-ch/logback" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://logback.qos.ch/news.html#1.5.13" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-918" | ||
| ], | ||
| "severity": "LOW", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-19T22:22:44Z", | ||
| "nvd_published_at": "2024-12-19T17:15:08Z" | ||
| } | ||
| } |
65 changes: 65 additions & 0 deletions
65
advisories/github-reviewed/2024/12/GHSA-pr98-23f8-jwxv/GHSA-pr98-23f8-jwxv.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-pr98-23f8-jwxv", | ||
| "modified": "2024-12-19T22:22:09Z", | ||
| "published": "2024-12-19T18:31:37Z", | ||
| "aliases": [ | ||
| "CVE-2024-12798" | ||
| ], | ||
| "summary": "QOS.CH logback-core Expression Language Injection vulnerability", | ||
| "details": "ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.\n\nMalicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.\n\nA successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear" | ||
| } | ||
| ], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "ch.qos.logback:logback-core" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "1.15.13" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "ADVISORY", | ||
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12798" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/qos-ch/logback" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://logback.qos.ch/news.html#1.5.13" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-917" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-19T22:22:09Z", | ||
| "nvd_published_at": "2024-12-19T16:15:07Z" | ||
| } | ||
| } |
36 changes: 0 additions & 36 deletions
36
advisories/unreviewed/2024/12/GHSA-6v67-2wr5-gvf4/GHSA-6v67-2wr5-gvf4.json
This file was deleted.
Oops, something went wrong.
36 changes: 0 additions & 36 deletions
36
advisories/unreviewed/2024/12/GHSA-pr98-23f8-jwxv/GHSA-pr98-23f8-jwxv.json
This file was deleted.
Oops, something went wrong.