Search
Search Results (7 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9828 | 1 Qos | 1 Logback | 2026-05-30 | N/A |
| Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.32 inclusive. | ||||
| CVE-2026-1225 | 1 Qos | 1 Logback | 2026-04-18 | 5.0 Medium |
| ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. | ||||
| CVE-2025-11226 | 1 Qos | 1 Logback | 2026-04-15 | 6.4 Medium |
| ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. | ||||
| CVE-2017-5929 | 2 Qos, Redhat | 7 Logback, Jboss Amq, Jboss Bpms and 4 more | 2025-04-20 | 9.8 Critical |
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. | ||||
| CVE-2023-6378 | 2 Qos, Redhat | 5 Logback, Amq Broker, Camel Spring Boot and 2 more | 2024-11-29 | 7.1 High |
| A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. | ||||
| CVE-2023-6481 | 2 Qos, Redhat | 6 Logback, Amq Broker, Camel Spring Boot and 3 more | 2024-11-21 | 7.1 High |
| A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. | ||||
| CVE-2021-42550 | 4 Netapp, Qos, Redhat and 1 more | 9 Cloud Manager, Service Level Manager, Snap Creator Framework and 6 more | 2024-11-21 | 6.6 Medium |
| In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. | ||||
Page 1 of 1.