VYPR
Medium severityGHSA Advisory· Published Dec 19, 2024· Updated Apr 15, 2026

CVE-2024-12798

CVE-2024-12798

Description

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.

Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.

A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ch.qos.logback:logback-coreMaven
>= 1.4.0, < 1.5.131.5.13
ch.qos.logback:logback-coreMaven
< 1.3.151.3.15

Affected products

198

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.