CVE-2021-42550

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Published: Dec 16, 2021
Updated: May 9, 2024
CVE: CVE-2021-42550
GHSA: GHSA-668q-qrv7-99fm
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.6
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
qos / logback	1.3.0-alpha6	1.3.0-alpha6.x
qos / logback	1.3.0-alpha7	1.3.0-alpha7.x
qos / logback	1.3.0-alpha8	1.3.0-alpha8.x
qos / logback	1.3.0-alpha9	1.3.0-alpha9.x
qos / logback	1.3.0-alpha10	1.3.0-alpha10.x
qos / logback	-	1.2.7.x
qos / logback	1.3.0-alpha0	1.3.0-alpha0.x
qos / logback	1.3.0-alpha1	1.3.0-alpha1.x
qos / logback	1.3.0-alpha2	1.3.0-alpha2.x
qos / logback	1.3.0-alpha3	1.3.0-alpha3.x
qos / logback	1.3.0-alpha4	1.3.0-alpha4.x
qos / logback	1.3.0-alpha5	1.3.0-alpha5.x
redhat / satellite	6.0	6.0.x
siemens / sinec_nms	-	1.0.3
ch.qos.logback / logback-core	-	1.2.9

Vulnerability Database

289,599

CVE-2021-42550