CVE-2024-12801 — QOS.CH logback-core Server-Side Request Forgery vulnerability

Description

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.

How to fix CVE-2024-12801

To remediate CVE-2024-12801, upgrade the affected package to a fixed version below.

Debian/logback—no fix listed
Maven/ch.qos.logback:logback-core—upgrade to 1.5.13 or later

Is CVE-2024-12801 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 1.4.0, < 1.5.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-12801
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-12801
PATCHgithub.com/qos-ch/logback
WEBgithub.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
WEB