CVE-2024-12798: 
Java vulnerability analysis and mitigation

An Arbitrary Code Execution (ACE) vulnerability was discovered in the JaninoEventEvaluator component of QOS.CH logback-core versions 0.1 to 1.3.14 and 1.4.0 to 1.5.12. The vulnerability was identified in December 2024 and assigned CVE-2024-12798. The vulnerability affects Java applications using the affected versions of logback-core (Logback News, NVD).

The vulnerability exists in the JaninoEventEvaluator extension of logback-core, which could allow arbitrary code execution through compromised configuration files. The vulnerability has been assigned a CVSS v4.0 base score of 5.9 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/RE:L/U:Clear. The vulnerability is classified under CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement) (NVD).

If exploited, this vulnerability allows an attacker to execute arbitrary code on the affected system. However, a successful attack requires the attacker to either have write access to a configuration file or the ability to inject an environment variable before program execution. In both scenarios, the attack requires existing privileges, indicating this vulnerability primarily serves as a privilege escalation vector (NVD).

The vulnerability has been addressed in logback versions 1.3.15 and 1.5.13 through the complete removal of the JaninoEventEvaluator component. Users are strongly advised to upgrade to these or later versions. The fix was implemented to prevent an escalation of existing flaws to a higher threat level (Logback News, Red Hat).