CVE-2024-12801
LOWlogback-core 1.4.0-1.5.12 and logback 0.1-1.3.14 - Server-Side Request Forgery via DOCTYPE Declaration
Title source: llmDescription
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.
References (2)
Core 2
Core References
Various Sources
https://logback.qos.ch/news.html#1.3.15
Various Sources
https://logback.qos.ch/news.html#1.5.13
Scores
CVSS v4
2.4
EPSS
0.0022
EPSS Percentile
12.4%
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:X/U:Clear
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (5)
ch.qos.logback/logback-core
1.4.0 - 1.5.13Maven
QOS.CH Sarl/logback
0.1 - 1.3.14
QOS.CH Sarl/logback
1.3.15
QOS.CH Sarl/logback
1.4.0 - 1.5.12
QOS.CH Sarl/logback
1.5.13
Published
Dec 19, 2024
Tracked Since
Feb 18, 2026