📂 Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2017-5929 |
🟣 Critical |
9.3 |
Not Defined |
11.4% |
logback-classic-1.1.3.jar |
Direct |
ch.qos.logback:logback-core:1.2.0,ch.qos.logback:logback-classic:1.2.0 |
✅ |
 Reachable |
| CVE-2023-6378 |
🔴 High |
8.2 |
Not Defined |
< 1% |
logback-core-1.1.3.jar |
Transitive |
N/A |
❌ |
|
| CVE-2021-42550 |
🔴 High |
7.5 |
Not Defined |
4.3% |
logback-core-1.1.3.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-42550 |
🔴 High |
7.5 |
Not Defined |
4.3% |
logback-classic-1.1.3.jar |
Direct |
ch.qos.logback:logback-core:1.2.9 |
✅ |
Reachable |
Details
🟣CVE-2017-5929
Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Dependency Hierarchy:
- ❌ logback-classic-1.1.3.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.visualpathit.account.service.SecurityServiceImpl (Application)
- org.slf4j.LoggerFactory (Extension)
- org.slf4j.impl.StaticLoggerBinder (Extension)
- ch.qos.logback.classic.util.ContextInitializer (Extension)
- ch.qos.logback.classic.gaffer.GafferUtil (Extension)
- ch.qos.logback.classic.gaffer.GafferConfigurator (Extension)
- ch.qos.logback.classic.gaffer.ConfigurationDelegate (Extension)
- ch.qos.logback.classic.net.server.ServerSocketReceiver (Extension)
- ch.qos.logback.classic.net.server.RemoteAppenderServerListener (Extension)
-> ❌ ch.qos.logback.classic.net.server.RemoteAppenderStreamClient (Vulnerable Component)
Vulnerability Details
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: Mar 13, 2017 06:14 AM
URL: CVE-2017-5929
Threat Assessment
Exploit Maturity:Not Defined
EPSS:11.4%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmfg-rjjm-rjrj
Release Date: Mar 13, 2017 06:14 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.0,ch.qos.logback:logback-classic:1.2.0
🔴CVE-2023-6378
Vulnerable Library - logback-core-1.1.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
- logback-classic-1.1.3.jar (Root Library)
- ❌ logback-core-1.1.3.jar (Vulnerable Library)
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: Nov 29, 2023 12:02 PM
URL: CVE-2023-6378
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmq6-5m68-f53m
Release Date: Nov 29, 2023 12:02 PM
Fix Resolution : ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13
🔴CVE-2021-42550
Vulnerable Library - logback-core-1.1.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
- logback-classic-1.1.3.jar (Root Library)
- ❌ logback-core-1.1.3.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.visualpathit.account.service.SecurityServiceImpl (Application)
- org.slf4j.LoggerFactory (Extension)
- org.slf4j.impl.StaticLoggerBinder (Extension)
- ch.qos.logback.classic.util.ContextInitializer (Extension)
-> ❌ ch.qos.logback.core.util.OptionHelper (Vulnerable Component)
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Publish Date: Dec 16, 2021 12:00 AM
URL: CVE-2021-42550
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.3%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-668q-qrv7-99fm
Release Date: Dec 16, 2021 12:00 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.9
🔴CVE-2021-42550
Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Dependency Hierarchy:
- ❌ logback-classic-1.1.3.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- com.visualpathit.account.service.SecurityServiceImpl (Application)
- org.slf4j.LoggerFactory (Extension)
- org.slf4j.impl.StaticLoggerBinder (Extension)
- ch.qos.logback.classic.util.ContextSelectorStaticBinder (Extension)
- ch.qos.logback.classic.selector.ContextJNDISelector (Extension)
-> ❌ ch.qos.logback.classic.util.JNDIUtil (Vulnerable Component)
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Publish Date: Dec 16, 2021 12:00 AM
URL: CVE-2021-42550
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.3%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-668q-qrv7-99fm
Release Date: Dec 16, 2021 12:00 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.9
📂 Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Findings
Details
🟣CVE-2017-5929
Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: Mar 13, 2017 06:14 AM
URL: CVE-2017-5929
Threat Assessment
Exploit Maturity:Not Defined
EPSS:11.4%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmfg-rjjm-rjrj
Release Date: Mar 13, 2017 06:14 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.0,ch.qos.logback:logback-classic:1.2.0
🔴CVE-2023-6378
Vulnerable Library - logback-core-1.1.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: Nov 29, 2023 12:02 PM
URL: CVE-2023-6378
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmq6-5m68-f53m
Release Date: Nov 29, 2023 12:02 PM
Fix Resolution : ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13
🔴CVE-2021-42550
Vulnerable Library - logback-core-1.1.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Publish Date: Dec 16, 2021 12:00 AM
URL: CVE-2021-42550
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.3%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-668q-qrv7-99fm
Release Date: Dec 16, 2021 12:00 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.9
🔴CVE-2021-42550
Vulnerable Library - logback-classic-1.1.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Publish Date: Dec 16, 2021 12:00 AM
URL: CVE-2021-42550
Threat Assessment
Exploit Maturity:Not Defined
EPSS:4.3%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-668q-qrv7-99fm
Release Date: Dec 16, 2021 12:00 AM
Fix Resolution : ch.qos.logback:logback-core:1.2.9