Sign In

CVE-2024-12798

ADVISORY - github

Summary

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.

Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension.

A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

EPSS Score: 0.0015 (0.364)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

ADVISORY - github

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in