logback-classic-1.2.11.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable)

<details>
  <summary>📂 Vulnerable Library - <strong>logback-classic-1.2.11.jar</strong></summary>

logback-classic module

**Library home page:** [ http://www.qos.ch ](http://www.qos.ch)

**Path to dependency file:** /maven-embedder/pom.xml

**Path to vulnerable library:** /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.11/logback-classic-1.2.11.jar


</details>


# Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | **Reachability** |
| ------------- | ------------- | ---- | --- | ----- | ----- | ----- | --- | --- | --- |
| [ CVE-308018-134255 ](https://www.mend.io/vulnerability-database/CVE-308018-134255) | 🟣 Critical | 9.8 | N/A | N/A | logback-classic-1.2.11.jar | Direct | N/A | ❌ | |
| [ CVE-2023-6378 ](https://www.mend.io/vulnerability-database/CVE-2023-6378) | 🔴 High | 8.2 | Not Defined | < 1% | logback-core-1.2.11.jar | Transitive | N/A | ❌ |<img src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22> Reachable |


# Details


<details>
  <summary>
 🟣CVE-308018-134255
  </summary>

### Vulnerable Library - **logback-classic-1.2.11.jar**

logback-classic module

**Library home page:** [ http://www.qos.ch ](http://www.qos.ch)

**Path to dependency file:** /maven-embedder/pom.xml

**Path to vulnerable library:** /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.11/logback-classic-1.2.11.jar



**Dependency Hierarchy:**


- ❌  **logback-classic-1.2.11.jar** (Vulnerable Library)




***

### Vulnerability Details

Created automatically by the test suite

**Publish Date:** Jun 07, 2010 05:12 PM

**URL:** [ CVE-308018-134255 ](https://www.mend.io/vulnerability-database/CVE-308018-134255)

**Threat Assessment**

Exploit Maturity:N/A

EPSS:N/A

**Score:** 9.8


***
### Suggested Fix

**Type:** Upgrade version

**Origin:** 

**Release Date:** 

**Fix Resolution :** 


</details>

<details>
  <summary>
 🔴CVE-2023-6378
  </summary>

### Vulnerable Library - **logback-core-1.2.11.jar**

logback-core module

**Library home page:** [ http://www.qos.ch ](http://www.qos.ch)

**Path to dependency file:** /maven-embedder/pom.xml

**Path to vulnerable library:** /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.11/logback-core-1.2.11.jar



**Dependency Hierarchy:**


- logback-classic-1.2.11.jar (Root Library)
    - ❌  **logback-core-1.2.11.jar** (Vulnerable Library)




***

### Reachability Analysis
This vulnerability is potentially reachable:

```
- org.apache.maven.cli.configuration.SettingsXmlConfigurationProcessor (Application)
    - ch.qos.logback.classic.Logger (Extension)
        - ch.qos.logback.classic.LoggerContext (Extension)
            - ch.qos.logback.core.ContextBase (Extension)
                - ch.qos.logback.core.util.ContextUtil (Extension)
                    - ch.qos.logback.core.rolling.helper.FileNamePattern (Extension)
                        - ch.qos.logback.core.pattern.ConverterUtil (Extension)
                            - ch.qos.logback.core.net.server.ConcurrentServerRunner (Extension)
                                -> ❌ ch.qos.logback.core.net.server.ServerListener (Vulnerable Component)
```
***

### Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
 Mend Note: 

**Publish Date:** Nov 29, 2023 12:02 PM

**URL:** [ CVE-2023-6378 ](https://www.mend.io/vulnerability-database/CVE-2023-6378)

**Threat Assessment**

Exploit Maturity:Not Defined

EPSS:< 1%

**Score:** 8.2


***
### Suggested Fix

**Type:** Upgrade version

**Origin:** https://github.com/advisories/GHSA-vmq6-5m68-f53m

**Release Date:** Nov 29, 2023 12:02 PM

**Fix Resolution :** ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13


</details>

[comment]: <> (<MEND_ISSUE_METADATA>{"identifier":"logback-classic-1.2.11.jar","repoName":"maven","branchName":"master","type":"SCA_DEP"}</MEND_ISSUE_METADATA>)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

logback-classic-1.2.11.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) #11

Findings

Details

Vulnerable Library - logback-classic-1.2.11.jar

Vulnerability Details

Suggested Fix

Vulnerable Library - logback-core-1.2.11.jar

Reachability Analysis

Vulnerability Details

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-308018-134255	🟣 Critical	9.8	N/A	N/A	logback-classic-1.2.11.jar	Direct	N/A	❌
CVE-2023-6378	🔴 High	8.2	Not Defined	< 1%	logback-core-1.2.11.jar	Transitive	N/A	❌	Reachable

logback-classic-1.2.11.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) #11

Description

Findings

Details

Vulnerable Library - logback-classic-1.2.11.jar

Vulnerability Details

Suggested Fix

Vulnerable Library - logback-core-1.2.11.jar

Reachability Analysis

Vulnerability Details

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions