jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution

A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

jackson-databind: default typing mishandling leading to remote code execution

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache and logback JNDI gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLAS...

Security Bulletin: CVE-2023-6378

Summary A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caus...

Security Bulletin: CVE-2023-6481

Summary A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a deni...

ROS-20240704-06

Vulnerability of logback receiver component of logging library logback is related to recovery of inaccurate data in memory inaccurate data. Exploitation of the vulnerability could allow an attacker to cause a denial of service...

OPENSUSE-SU-2024:12026-1 logback-1.2.11-1.1 on GA media

These are all security issues fixed in the logback-1.2.11-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11683-1 logback-1.2.8-1.1 on GA media

These are all security issues fixed in the logback-1.2.8-1.1 package on the GA media of openSUSE Tumbleweed...

Denial Of Service (DoS)

ch.qos.logback:logback-classic is vulnerable to Denial Of Service DoS. The vulnerability is due to the readObject method in the LoggingEventVO class which fails to check the length of an argument array during deserialization. An attacker could send crafted data, resulting in Denial of Service DoS...

logback: serialization vulnerability in logback receiver

A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition...

logback: A serialization vulnerability in logback receiver

A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption 'Resource Exhaustion' via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data...

logback: serialization vulnerability in logback receiver

A flaw was found in the logback package, where it is vulnerable to a denial of service caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker can cause a denial of service condition...

logback: A serialization vulnerability in logback receiver

A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption 'Resource Exhaustion' via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data...

Security Bulletin: Multiple Vulnerabilities in IBM Operations Analytics Predictive Insights.

Summary Multiple vulnerabilities were addressed in IBM Operations Analytics Predictive Insights 1.3.6 iFix 8 Vulnerability Details CVEID:CVE-2022-46337 DESCRIPTION: Apache Derby could allow a remote attacker to bypass security restrictions, caused by a LDAP injection vulnerability in authenticato...

Security Bulletin: Vulnerabilities in Logback may affect the IBM Spectrum Protect Server (CVE-2023-6378)

Summary The IBM Spectrum Protect Server may be affected by vulnerabilities in Logback such as denial of service caused by a serializaion flaw in the logback receiver component. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caused ...

Security Bulletin: Vulnerabilities in Logback may affect the IBM Spectrum Protect Server (CVE-2023-6481)

Summary The IBM Spectrum Protect Server may be affected by vulnerabilities in Logback such as denial of service caused by a serializaion flaw in the logback receiver component. Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caused ...

logback: A serialization vulnerability in logback receiver

A flaw was found in the logback package. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption 'Resource Exhaustion' via the logback receiver component. This flaw allows an attacker to mount a denial-of-service attack by sending poisoned data...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. QOS.ch Sarl Logback is vulnerable to a denial of service CVE-2023-6481, CVE-2023-6378. The Bouncy Castle Crypto Package For Java...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for February 2024.

Summary Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF030 and 23.0.2-IF002. Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with...

Atlassian Confluence 6.0.1 < 7.19.18 / 7.20.x < 8.5.5 / 8.6.x < 8.7.2 / 8.8.0 (CONFSERVER-94111)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-94111 advisory. - This High severity ch.qos.logback:logback-classic Dependency vulnerability was introduced in versions 6.0.1 of Confluence Data Center and Server...

Security Bulletin: There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application (CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378)

Summary There is a vulnerability in Asset Data Dictionary used by IBM Maximo Asset Management application CVE-2023-44487, CVE-2022-41881, CVE-2022-41915, CVE-2021-42550, CVE-2023-34462, CVE-2023-6481 and CVE-2023-6378 Vulnerability Details CVEID:CVE-2023-44487 DESCRIPTION: Multiple vendors are...