Miggo Logo
Miggo Vulnerability Database
CVE-2023-6481

CVE-2023-6481: Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-6481
GHSA ID
GHSA-gm62-rw4g-vrc4
EPSS Score
0.53844%
CWE
-
Published
12/4/2023
Updated
12/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ch.qos.logback:logback-coremaven= 1.4.131.4.14
ch.qos.logback:logback-coremaven= 1.3.131.3.14
ch.qos.logback:logback-coremaven= 1.2.121.2.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing initialization of the deserialization filter in HardenedObjectInputStream's constructor. The fix commit (7018a36) adds the missing initObjectFilter() call, and the accompanying test case demonstrates that without this fix, malicious HashSet structures could be deserialized (triggering HashDoS). The direct correlation between the missing filter initialization and the security test case confirms this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*ri*liz*tion vuln*r**ility in lo****k r***iv*r *ompon*nt p*rt o* lo****k v*rsion *.*.**, *.*.** *n* *.*.** *llows *n *tt**k*r to mount * **ni*l-O*-S*rvi** *tt**k *y s*n*in* poison** **t*.

Reasoning

T** vuln*r**ility st*ms *rom missin* initi*liz*tion o* t** **s*ri*liz*tion *ilt*r in `**r**n**O*j**tInputStr**m`'s *onstru*tor. T** *ix *ommit (*******) ***s t** missin* `initO*j**t*ilt*r()` **ll, *n* t** ***omp*nyin* t*st **s* **monstr*t*s t**t wit*