CVE-2024-12798: JaninoEventEvaluator vulnerability
First published: Thu Dec 19 2024(Updated: )
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto and including version 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.
Credit: vulnerability@ncsc.ch vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/ch.qos.logback:logback-core | <1.3.15 | 1.3.15 |
| maven/ch.qos.logback:logback-core | >=1.4.0<1.5.13 | 1.5.13 |
Remedy
Remove Janino from the Java classpath. Alternatively, update to logback version 1.5.13 or later. If you are using the 1.3.x series, update to logback version 1.3.15 or later. Note that the 1.4.x series remains vulnerable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://logback.qos.ch/news.html#1.5.13
- https://logback.qos.ch/news.html#1.3.15
- https://nvd.nist.gov/vuln/detail/CVE-2024-12798
- https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183
- https://github.com/advisories/GHSA-pr98-23f8-jwxv (Advisory)
- https://access.redhat.com/errata/RHSA-2025:1078
- https://bugzilla.redhat.com/show_bug.cgi?id=2333351
- https://www.ibm.com/support/pages/node/7232197 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-12798?
CVE-2024-12798 is considered a high severity vulnerability due to its potential to allow arbitrary code execution.
How do I fix CVE-2024-12798?
To fix CVE-2024-12798, upgrade to logback-core version 1.3.15 or 1.5.13.
Which versions are affected by CVE-2024-12798?
CVE-2024-12798 affects logback-core versions from 0.1 to 1.3.14 and from 1.4.0 to 1.5.12.
What types of attacks can CVE-2024-12798 facilitate?
CVE-2024-12798 can facilitate attacks that involve executing arbitrary code by compromising the logback configuration.
Are there any other remediation steps for CVE-2024-12798 besides upgrading?
In addition to upgrading, review and secure your logback configuration files to prevent malicious injections.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/author
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/remedy
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pr98-23f8-jwxv
- alias/CVE-2024-12798
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/references
- agent/severity
- agent/source
- agent/tags
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/maven