Skip to content

Commit 8b0be5e

Browse files
1 parent b1af6e8 commit 8b0be5e

2 files changed

Lines changed: 64 additions & 36 deletions

File tree

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-p47f-322f-whfh",
4+
"modified": "2026-07-02T13:55:30Z",
5+
"published": "2026-05-28T15:39:50Z",
6+
"aliases": [
7+
"CVE-2026-9828"
8+
],
9+
"summary": "QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability",
10+
"details": "Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.\n\nMore precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.\n\nAlthough deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.\n\nThis issue affects logback: through 1.5.32 inclusive.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "ch.qos.logback:logback-core"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.5.33"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.5.32"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "ADVISORY",
44+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9828"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/qos-ch/logback"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://logback.qos.ch/news.html#1.5.33"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-502"
58+
],
59+
"severity": "LOW",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2026-07-02T13:55:30Z",
62+
"nvd_published_at": "2026-05-28T14:16:27Z"
63+
}
64+
}

advisories/unreviewed/2026/05/GHSA-p47f-322f-whfh/GHSA-p47f-322f-whfh.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)