ch.qos.logback:logback-classic 1.3.13 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the ch.qos.logback:logback-classic package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Neutralization of Special Elements ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the `JaninoEventEvaluator` extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution. How to fix Improper Neutralization of Special Elements? Upgrade `ch.qos.logback:logback-classic` to version 1.3.15, 1.5.13 or higher.	[,1.3.15)[1.4.0,1.5.13)
H Uncontrolled Resource Consumption ('Resource Exhaustion') ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data. Note: Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? Upgrade `ch.qos.logback:logback-classic` to version 1.2.13, 1.3.14, 1.4.14 or higher.	[,1.2.13)[1.3.0,1.3.14)[1.4.0,1.4.14)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

How to fix Improper Neutralization of Special Elements?

Upgrade ch.qos.logback:logback-classic to version 1.3.15, 1.5.13 or higher.

[,1.3.15)[1.4.0,1.5.13)

Uncontrolled Resource Consumption ('Resource Exhaustion')

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.

[,1.2.13)[1.3.0,1.3.14)[1.4.0,1.4.14)

ch.qos.logback:logback-classic@1.3.13 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically