Find, fix and prevent vulnerabilities in your code.
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.5.24
Detailed paths
-
Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension#a4f41a4b6d58adb59204828d02852b566b667c6b › ch.qos.logback:logback-classic@1.5.24
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.24
Detailed paths
-
Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension#a4f41a4b6d58adb59204828d02852b566b667c6b › ch.qos.logback:logback-classic@1.5.24 › ch.qos.logback:logback-core@1.5.24
Dual license: EPL-1.0, LGPL-2.1
low severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.5.24
Detailed paths
-
Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension#a4f41a4b6d58adb59204828d02852b566b667c6b › ch.qos.logback:logback-classic@1.5.24 › ch.qos.logback:logback-core@1.5.24Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.25.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores during the configuration file processing. An attacker can instantiate arbitrary classes already present on the class path by compromising an existing configuration file.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.25 or higher.