Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in  XML configuration files.
History

Fri, 20 Dec 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Dec 2024 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Low


Thu, 19 Dec 2024 16:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in  XML configuration files.
Title SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H/V:D/U:Clear'}


cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2024-12-19T16:11:50.044Z

Updated: 2024-12-20T20:16:07.566Z

Reserved: 2024-12-19T16:09:59.761Z

Link: CVE-2024-12801

cve-icon Vulnrichment

Updated: 2024-12-20T20:16:02.318Z

cve-icon NVD

Status : Received

Published: 2024-12-19T17:15:08.930

Modified: 2024-12-19T17:15:08.930

Link: CVE-2024-12801

cve-icon Redhat

Severity : Low

Publid Date: 2024-12-19T16:11:50Z

Links: CVE-2024-12801 - Bugzilla