CVE-2021-42550
MEDIUMqos logback < 1.2.7 - Deserialization of Untrusted Data via LDAP
Title source: llmDescription
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Jul/11
Vendor Advisory
http://logback.qos.ch/news.html
Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
Exploit, Issue Tracking, Patch, Third Party Advisory
https://jira.qos.ch/browse/LOGBACK-1591
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211229-0001/
Scores
CVSS v3
6.6
EPSS
0.0273
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (8)
ch.qos.logback/logback-core
0 - 1.2.9Maven
netapp/cloud_manager
netapp/service_level_manager
netapp/snap_creator_framework
qos/logback
1.3.0 alpha0 (11 CPE variants)
qos/logback
< 1.2.7
redhat/satellite
6.0
siemens/sinec_nms
< 1.0.3
Published
Dec 16, 2021
Tracked Since
Feb 18, 2026