[
https://issues.apache.org/jira/browse/CASSANDRA-20615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949157#comment-17949157
]
Brandon Williams commented on CASSANDRA-20615:
----------------------------------------------
I think we suppressed this.
> CVE-2024-12798 and CVE-2024-12801 are reported by BlackDuckScan on
> Cassandra5.0.2
> ---------------------------------------------------------------------------------
>
> Key: CASSANDRA-20615
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20615
> Project: Apache Cassandra
> Issue Type: Bug
> Reporter: Kapil Shewate
> Priority: Normal
>
>
> [https://nvd.nist.gov/vuln/detail/CVE-2024-12798]
> ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto
> including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications
> allows attacker to execute arbitrary code by compromising an existing logback
> configuration file or by injecting an environment variable before program
> execution. Malicious logback configuration files can allow the attacker to
> execute arbitrary code using the JaninoEventEvaluator extension. A successful
> attack requires the user to have write access to a configuration file.
> Alternatively, the attacker could inject a malicious environment variable
> pointing to a malicious configuration file. In both cases, the attack
> requires existing privilege.
>
> [https://nvd.nist.gov/vuln/detail/CVE-2024-12801]
> Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback
> version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an
> attacker to forge requests by compromising logback configuration files in
> XML. The attacks involves the modification of DOCTYPE declaration in XML
> configuration files.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
