Closed freedom1b2830 closed 2 years ago
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
So if an attacker has access to your eclipse installation your are lost anyways and he can execute any code...
still need an update to 1.2.9+ to close the possible vector
First you need to determine what feature is installing these bundles. I assume it is not any of the features from the actual Eclipse IDE project (Equinox, PDE, JDT, Platform), because I don't see these bundles installed on my base installation.
Eclipse IDE for Enterprise Java and Web Developers (includes Incubating components) Version: 2022-03 (4.23.0) Build id: 20220310-1457
*** Plug-in Registry: ch.qos.logback.classic (1.2.3.v20200428-2012) "Logback Classic Module" [Resolved]
Id: ch.qos.logback.classic, Version: 1.2.3.v20200428-2012, Location: reference:file:plugins/ch.qos.logback.classic_1.2.3.v20200428-2012.jar
I would venture the plugins are installed by m2e. So you should open an issue with m2e.
I think we can close this issue here.
Yes, m2e would be satisfied with higher versions but it's the only thing bound to these older versions:
@jonahgraham FYI.
I don't know where to write about these libraries
CVE-2021-42550
scanner args:[--scan-log4j1 --scan-logback --scan-zip]
[?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in $ECLIPSE_DIR/plugins/ch.qos.logback.classic_1.2.3.v20200428-2012.jar, logback N/A [?] Found CVE-2021-42550 (logback 1.2.7) vulnerability in $HOME/.p2/pool/plugins/ch.qos.logback.classic_1.1.2.v20171220-1825.jar, logback N/A