VYPR

Maven package

ch.qos.logback/logback-core

pkg:maven/ch.qos.logback/logback-core

Vulnerabilities (8)

  • CVE-2026-1225LowJan 22, 2026
    affected < 1.5.25fixed 1.5.25

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti

  • CVE-2025-11226MedOct 1, 2025
    affected >= 1.4.0, < 1.5.19fixed 1.5.19

    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia

  • CVE-2024-12801LowDec 19, 2024
    affected >= 1.4.0, < 1.5.13fixed 1.5.13

    Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE

  • CVE-2024-12798MedDec 19, 2024
    affected >= 1.4.0, < 1.5.13fixed 1.5.13

    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en

  • CVE-2023-6481Dec 4, 2023
    affected >= 1.4.13, < 1.4.14fixed 1.4.14

    A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

  • CVE-2023-6378Nov 29, 2023
    affected >= 1.3.0, < 1.3.12fixed 1.3.12

    A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

  • CVE-2021-42550Dec 16, 2021
    affected < 1.2.9fixed 1.2.9

    In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

  • CVE-2017-5929CriMar 13, 2017
    affected < 1.2.0fixed 1.2.0

    QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.