Vulnerabilities > CVE-2021-42550 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/cn-panda/logbackRceDemo
- https://jira.qos.ch/browse/LOGBACK-1591
- http://logback.qos.ch/news.html
- https://security.netapp.com/advisory/ntap-20211229-0001/
- http://seclists.org/fulldisclosure/2022/Jul/11
- http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf