Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
In our exploration of your project we found that it is currently using version 1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains.
Recommendation:
Upgrade the version of logback in the pom.xml to version 1.2 or higher.
For additional details on this vulnerability you can visit the following websites:
Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208
Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Attachments
Issue Links
- links to