-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ch.qos.logback:logback-core | maven | >= 1.4.0, < 1.5.13 | 1.5.13 |
| ch.qos.logback:logback-core | maven | < 1.3.15 | 1.3.15 |
Miggo AIRoot Cause AnalysisThe vulnerability is an Expression Language Injection in JaninoEventEvaluator. The provided commit 2cb6d520df7592ef1c3a198f1b5df3c10c93e183 completely removes the JaninoEventEvaluator and its base class JaninoEventEvaluatorBase, along with related test files and configuration helpers like ClassicEvaluatorAction. This removal is a direct mitigation of the vulnerability. The core of the vulnerability lies in how these classes handle and evaluate expressions using the Janino library.
JaninoEventEvaluatorBase.setExpression(String expression): This method would receive the potentially malicious expression from the logback configuration.JaninoEventEvaluator.getDecoratedExpression(): This method in the derived class would further process this expression.JaninoEventEvaluatorBase.start(): This method would then take the expression and initialize/compile it using Janino's ScriptEvaluator.JaninoEventEvaluatorBase.evaluate(E event): This method is the sink where the compiled, potentially malicious, expression is executed, leading to arbitrary code execution.The ClassicEvaluatorAction.defaultClassName() method is included because it directly facilitated the use of the vulnerable JaninoEventEvaluator by returning its class name for instantiation within the Joran configuration framework.
The patch evidence clearly shows these classes and their methods being removed, indicating they were central to the vulnerable functionality. The confidence is high for the methods directly involved in expression handling and evaluation, and medium for the helper action class.
A Semantic Attack on Google Gemini - Read the Latest Research