WS-2021-0491 (Medium) detected in logback-classic-1.2.3.jar - autoclosed
Closed this issue · 1 comments
mend-bolt-for-github commented
WS-2021-0491 - Medium Severity Vulnerability
Vulnerable Library - logback-classic-1.2.3.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: api/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
- spring-boot-starter-1.5.22.RELEASE.jar
- spring-boot-starter-logging-1.5.22.RELEASE.jar
- ❌ logback-classic-1.2.3.jar (Vulnerable Library)
- spring-boot-starter-logging-1.5.22.RELEASE.jar
- spring-boot-starter-1.5.22.RELEASE.jar
Found in base branch: master
Vulnerability Details
LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.
Publish Date: 2021-12-13
URL: WS-2021-0491
Step up your Open Source Security Game with WhiteSource here
mend-bolt-for-github commented
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.