CVE-2021-42550 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.6 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
NCSC.ch	CNA	6.6 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 88%

Vendor	Product	Version
qos	logback	𝑥 ≤ 1.2.7
qos	logback	1.3.0:alpha0
qos	logback	1.3.0:alpha1
qos	logback	1.3.0:alpha10
qos	logback	1.3.0:alpha2
qos	logback	1.3.0:alpha3
qos	logback	1.3.0:alpha4
qos	logback	1.3.0:alpha5
qos	logback	1.3.0:alpha6
qos	logback	1.3.0:alpha7
qos	logback	1.3.0:alpha8
qos	logback	1.3.0:alpha9
redhat	satellite	6.0
netapp	cloud_manager	-
netapp	service_level_manager	-
netapp	snap_creator_framework	-
siemens	sinec_nms	𝑥 < 1.0.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

logback

bullseye	no-dsa
buster	no-dsa
stretch	no-dsa
bookworm	1:1.2.11-3 fixed
sid	1:1.2.11-5 fixed
trixie	1:1.2.11-5 fixed

Ubuntu Releases

Ubuntu Product

Codename

logback

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
impish	ignored
hirsute	ignored
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

http://logback.qos.ch/news.html

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html

http://seclists.org/fulldisclosure/2022/Jul/11

https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf

https://github.com/cn-panda/logbackRceDemo

https://jira.qos.ch/browse/LOGBACK-1591

https://security.netapp.com/advisory/ntap-20211229-0001/

http://logback.qos.ch/news.html

http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html

http://seclists.org/fulldisclosure/2022/Jul/11

https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf

https://github.com/cn-panda/logbackRceDemo

https://jira.qos.ch/browse/LOGBACK-1591

https://security.netapp.com/advisory/ntap-20211229-0001/