OPENSUSE-SU-2025:14627-1 logback-1.2.11-4.1 on GA media

These are all security issues fixed in the logback-1.2.11-4.1 package on the GA media of openSUSE Tumbleweed...

Server-Side Request Forgery (SSRF)

ch.qos.logback, logback-core is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of the DOCTYPE declaration in XML configuration files, allowing an attacker to forge requests...

CVE-2024-12798

A flaw was found in Logback. This flaw allows a privileged attacker with write access to modify Logback configuration files or inject a malicious environment variable to execute arbitrary code via the JaninoEventEvaluator extension...

CVE-2024-12801

A Server-Side Request Forgery SSRF vulnerability was found in Logback. This flaw allows a local attacker to forge requests by modifying XML configuration files to ignore external DTD files specified in DOCTYPE declarations, potentially exposing confidential or restricted data...

ai.acolite:openai-agent-sdk (>=0.1.0 <=0.4.0), ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0) +16388 more potentially affected by CVE-2024-12801 via ch.qos.logback:logback-core (>=1.4.0 <=1.5.12)

ch.qos.logback:logback-core MAVEN version =1.4.0, =0.1.0, =0.2.0, =0.114.0, =0.103.0, =0.114.0, =0.2.0, =0.8.0, =0.9.0 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-linux-x8664 =0....

ai.acolite:openai-agent-sdk (>=0.1.0 <=0.4.0), ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0) +16388 more potentially affected by CVE-2024-12798 via ch.qos.logback:logback-core (>=1.4.0 <=1.5.12)

ch.qos.logback:logback-core MAVEN version =1.4.0, =0.1.0, =0.2.0, =0.114.0, =0.103.0, =0.114.0, =0.2.0, =0.8.0, =0.9.0 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-linux-x8664 =0....

GHSA-PR98-23F8-JWXV QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious...

GHSA-6V67-2WR5-GVF4 QOS.CH logback-core Server-Side Request Forgery vulnerability

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files...

QOS.CH logback-core Server-Side Request Forgery vulnerability

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files...

QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious...

CVE-2024-12801

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

CVE-2024-12801

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

DEBIAN-CVE-2024-12801

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

UBUNTU-CVE-2024-12801

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

DEBIAN-CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

UBUNTU-CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

CVE-2024-12801 SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

CVE-2024-12801 SaxEventRecorder vulnerable to Server-Side Request Forgery (SSRF) attacks

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...