CVE-2024-12801
Server-Side Request Forgery (SSRF) vulnerability in logback-core (Maven)
What is CVE-2024-12801 About?
This vulnerability is a Server-Side Request Forgery (SSRF) in SaxEventRecorder within logback, allowing attackers to forge requests. By compromising XML configuration files, attackers can manipulate requests, which is moderately easy to exploit once configuration files are controlled.
Affected Software
- ch.qos.logback:logback-core
- <1.3.15
- >1.4.0, <1.5.13
Technical Details
The SaxEventRecorder component in logback versions 1.5.12 on the Java platform is vulnerable to Server-Side Request Forgery. An attacker can exploit this by modifying DOCTYPE declarations within the logback configuration XML files. By injecting external entities or crafting specific XML structures, the attacker can cause the server to make requests to arbitrary internal or external resources, potentially bypassing firewalls, accessing sensitive data, or interacting with internal services.
What is the Impact of CVE-2024-12801?
Successful exploitation may allow attackers to make arbitrary requests from the server, bypass network restrictions, access internal services, and potentially retrieve sensitive information.
What is the Exploitability of CVE-2024-12801?
Exploitation requires the ability to compromise and modify logback XML configuration files, which can be a moderate to high complexity task depending on the system's security posture. No direct authentication to the vulnerability is needed if the XML files can be manipulated. Privilege requirements depend on the access needed to alter the configuration files. This is a remote vulnerability, but it relies on an initial compromise or specific system setup allowing configuration file modification. The primary risk factor is inadequate protection of logback configuration files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12801?
About the Fix from Resolved Security
This patch adds a custom resolveEntity method to the SAX event recorder that blocks external DTD (DOCTYPE) resolution by returning an empty input source and logging warnings, effectively preventing the XML parser from making external network requests. By doing so, it fixes CVE-2024-12801, which is a server-side request forgery (SSRF) vulnerability, because parsing untrusted XML with external entities enabled could allow attackers to trigger arbitrary outbound HTTP requests from the server.
Available Upgrade Options
- ch.qos.logback:logback-core
- <1.3.15 → Upgrade to 1.3.15
- ch.qos.logback:logback-core
- >1.4.0, <1.5.13 → Upgrade to 1.5.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://logback.qos.ch/news.html#1.3.15
- https://osv.dev/vulnerability/GHSA-6v67-2wr5-gvf4
- https://logback.qos.ch/news.html#1.3.15
- https://logback.qos.ch/news.html#1.5.13
- https://github.com/qos-ch/logback
- https://nvd.nist.gov/vuln/detail/CVE-2024-12801
- https://logback.qos.ch/news.html#1.5.13
- https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
What are Similar Vulnerabilities to CVE-2024-12801?
Similar Vulnerabilities: CVE-2021-33814 , CVE-2021-43845 , CVE-2023-49033 , CVE-2023-28103 , CVE-2023-35631
