Vulnerability Details : CVE-2021-42550
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Published
2021-12-16 19:15:08
Updated
2022-12-12 21:13:07
Vulnerability category: Execute code
Products affected by CVE-2021-42550
- cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_nms:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:*:*:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:qos:logback:1.3.0:alpha9:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-42550
1.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-42550
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:M/Au:S/C:C/I:C/A:C |
6.8
|
10.0
|
NIST | |
6.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
NIST | |
6.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
Switzerland Government Common Vulnerability Program |
CWE ids for CVE-2021-42550
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- vulnerability@ncsc.ch (Secondary)
References for CVE-2021-42550
-
https://security.netapp.com/advisory/ntap-20211229-0001/
CVE-2021-42550 Logback Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://seclists.org/fulldisclosure/2022/Jul/11
Full Disclosure: Open-Xchange Security Advisory 2022-07-21Mailing List;Third Party Advisory
-
http://logback.qos.ch/news.html
NewsVendor Advisory
-
https://github.com/cn-panda/logbackRceDemo
GitHub - cn-panda/logbackRceDemo: The project is a simple vulnerability Demo environment written by SpringBoot. Here, I deliberately wrote a vulnerability environment where there are arbitrary file upExploit;Third Party Advisory
-
https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
Third Party Advisory
-
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
Open-Xchange App Suite 7.10.x Cross Site Scripting / Command Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://jira.qos.ch/browse/LOGBACK-1591
[LOGBACK-1591] Possibility of vulnerability - registered as CVE-2021-42550 - QOS.ch JIRAExploit;Issue Tracking;Patch;Third Party Advisory
Jump to