{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12798", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2024-12-19T14:21:00.178Z", "datePublished": "2024-12-19T15:14:21.598Z", "dateUpdated": "2025-01-03T13:38:58.152Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["logback-core"], "product": "Logback-core", "vendor": "QOS.CH Sarl", "versions": [{"lessThanOrEqual": "1.3.14", "status": "affected", "version": "0.1", "versionType": "maven"}, {"lessThanOrEqual": "1.5.12", "status": "affected", "version": "1.4.0", "versionType": "maven"}, {"status": "unaffected", "version": "1.3.15"}, {"status": "unaffected", "version": "1.5.13"}]}], "credits": [{"lang": "en", "type": "finder", "value": "7asecurity"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and&nbsp;1.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.<br></div><div><br></div><div>Malicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n<br>\n<br>A successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n<br></div><div><br></div>"}], "value": "ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "No known exploitation<br>"}], "value": "No known exploitation"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.9, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2025-01-03T13:38:58.152Z"}, "references": [{"url": "https://logback.qos.ch/news.html#1.5.13"}, {"url": "https://logback.qos.ch/news.html#1.3.15"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."}], "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."}], "source": {"discovery": "EXTERNAL"}, "title": "JaninoEventEvaluator\u00a0vulnerability", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."}], "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-20T20:17:18.406704Z", "id": "CVE-2024-12798", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T20:17:33.360Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12798", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-20T20:17:18.406704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-20T20:17:28.533Z"}}], "cna": {"title": "JaninoEventEvaluator\u00a0vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "7asecurity"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QOS.CH Sarl", "modules": ["logback-core"], "product": "Logback-core", "versions": [{"status": "affected", "version": "0.1", "versionType": "maven", "lessThanOrEqual": "1.3.14"}, {"status": "affected", "version": "1.4.0", "versionType": "maven", "lessThanOrEqual": "1.5.12"}, {"status": "unaffected", "version": "1.3.15"}, {"status": "unaffected", "version": "1.5.13"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "No known exploitation", "supportingMedia": [{"type": "text/html", "value": "No known exploitation<br>", "base64": false}]}], "solutions": [{"lang": "en", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable.", "supportingMedia": [{"type": "text/html", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable.", "base64": false}]}], "references": [{"url": "https://logback.qos.ch/news.html#1.5.13"}, {"url": "https://logback.qos.ch/news.html#1.3.15"}], "workarounds": [{"lang": "en", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable.", "supportingMedia": [{"type": "text/html", "value": "Remove Janino from the Java classpath. Alternatively, update to logback \nversion 1.5.13 or later. If you are using the 1.3.x series, update to \nlogback version 1.3.15 or later. Note that the 1.4.x series remains \nvulnerable.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.", "supportingMedia": [{"type": "text/html", "value": "<div>ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and&nbsp;1.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.<br></div><div><br></div><div>Malicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n<br>\n<br>A successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.\n\n\n<br></div><div><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2025-01-03T13:38:58.152Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12798", "state": "PUBLISHED", "dateUpdated": "2025-01-03T13:38:58.152Z", "dateReserved": "2024-12-19T14:21:00.178Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2024-12-19T15:14:21.598Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\n upto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\n attacker to execute arbitrary code by compromising an existing\n logback configuration file or by injecting an environment variable\n before program execution.\n\n\n\n\n\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\n\n\n\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege."}, {"lang": "es", "value": "La vulnerabilidad ACE en JaninoEventEvaluator por parte de QOS.CH logback-core hasta la versi\u00f3n 1.5.12 incluida en aplicaciones Java permite al atacante ejecutar c\u00f3digo arbitrario comprometiendo un archivo de configuraci\u00f3n de logback existente o inyectando una variable de entorno antes de la ejecuci\u00f3n del programa. Los archivos de configuraci\u00f3n de logback maliciosos pueden permitir al atacante ejecutar c\u00f3digo arbitrario utilizando la extensi\u00f3n JaninoEventEvaluator. Un ataque exitoso requiere que el usuario tenga acceso de escritura a un archivo de configuraci\u00f3n. Alternativamente, el atacante podr\u00eda inyectar una variable de entorno maliciosa que apunte a un archivo de configuraci\u00f3n malicioso. En ambos casos, el ataque requiere privilegios existentes."}], "id": "CVE-2024-12798", "lastModified": "2025-01-03T14:15:24.370", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "HIGH"}, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2024-12-19T16:15:07.557", "references": [{"source": "vulnerability@ncsc.ch", "url": "https://logback.qos.ch/news.html#1.3.15"}, {"source": "vulnerability@ncsc.ch", "url": "https://logback.qos.ch/news.html#1.5.13"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1078", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.8.3", "package": "ch.qos.logback/logback-core", "product_name": "Red Hat build of Apache Camel 4.8.3 for Spring Boot", "release_date": "2025-02-05T00:00:00Z"}], "bugzilla": {"description": "logback-core: arbitrary code execution via JaninoEventEvaluator", "id": "2333351", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333351"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L", "status": "verified"}, "cwe": "CWE-917", "details": ["ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core\nupto including version 0.1 to 1.3.14 and\u00a01.4.0 to 1.5.12 in Java applications allows\nattacker to execute arbitrary code by compromising an existing\nlogback configuration file or by injecting an environment variable\nbefore program execution.\nMalicious logback configuration files can allow the attacker to execute \narbitrary code using the JaninoEventEvaluator extension.\nA successful attack requires the user to have write access to a \nconfiguration file. Alternatively, the attacker could inject a malicious \nenvironment variable pointing to a malicious configuration file. In both \ncases, the attack requires existing privilege.", "A flaw was found in Logback. This flaw allows a privileged attacker with write access to modify Logback configuration files or inject a malicious environment variable to execute arbitrary code via the JaninoEventEvaluator extension."], "name": "CVE-2024-12798", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "ch.qos.logback/logback-core", "product_name": "streams for Apache Kafka"}], "public_date": "2024-12-19T15:14:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12798\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12798\nhttps://logback.qos.ch/news.html#1.5.13"], "threat_severity": "Moderate"}