[logback-dev] [JIRA] Updates for LOGBACK-1593: sessionViaJNDI function of SMTPAppender may suffers from jndi injections
QOS.CH (JIRA)
noreply-jira at qos.ch
Thu Dec 16 07:04:00 CET 2021
logback / LOGBACK-1593 [Open]
sessionViaJNDI function of SMTPAppender may suffers from jndi injections
==============================
Here's what changed in this issue in the last few minutes.
This issue has been created
This issue is now assigned to you.
View or comment on issue using this link
https://jira.qos.ch/browse/LOGBACK-1593
==============================
Issue created
------------------------------
Diggid created this issue on 16/Dec/21 6:49 AM
Summary: sessionViaJNDI function of SMTPAppender may suffers from jndi injections
Issue Type: Bug
Assignee: Logback dev list
Attachments: poc.pdf
Components: logback-classic, logback-core
Created: 16/Dec/21 6:49 AM
Labels: smtpappender
Priority: Critical
Reporter: Diggid
Description: Hello friend! Similar to [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104], in logback's SMTPAppender, it is possible to override the configuration to enable sessionViaJNDI and specify jndiLocation as a malicious jndi server, leading to jndi injection and even RCE. more details in the attached pdf
==============================
This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)
More information about the logback-dev
mailing list