CVE-2021-42550 — Deserialization of Untrusted Data in Logback

CWE-502 — Deserialization of Untrusted Data11 documents8 sources

Severity

6.6MEDIUMNVD

EPSS

2.7%

top 14.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qos.ch Logback QOS Logback Siemens Sinec NMS +1 more

Timeline

PublishedDec 16

Latest updateJul 2

Description

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5qos.ch/logbackunspecified — 1.2.9+1

▶Debianqos/logback< 1:1.2.8-1+2

▶Ubuntuqos/logback< 1:1.1.3-2ubuntu0.1~esm1+3

▶NVDqos/logback1.2.7+1

▶NVDsiemens/sinec_nms< 1.0.3

Patches

Patch: jira.qos.ch ↗Patch: jira.qos.ch ↗

🔴Vulnerability Details

OSV

logback vulnerabilities↗2025-07-02

▶

GHSA

Deserialization of Untrusted Data in logback↗2021-12-17

▶

OSV

Deserialization of Untrusted Data in logback↗2021-12-17

▶

OSV

CVE-2021-42550: In logback version 1↗2021-12-16

▶

CVEList

RCE from attacker with configuration edit priviledges through JNDI lookup↗2021-12-16

▶

📋Vendor Advisories

Ubuntu

logback vulnerabilities↗2025-07-02

▶

Red Hat

logback: remote code execution through JNDI call from within its configuration file↗2021-12-16

▶

Debian

CVE-2021-42550: logback - In logback version 1.2.7 and prior versions, an attacker with the required privi...↗2021

▶

🕵️Threat Intelligence

Sentinelone

Log4j One Month On | Crimeware and Exploitation Roundup↗2022-01-10

▶

Sentinelone

Log4j One Month On | Crimeware and Exploitation Roundup↗2022-01-10

▶