Logback
Monthly
Deserialization restriction bypass in QOS.CH Sarl logback-core affects all versions through 1.5.33, allowing unauthenticated network attackers with the ability to influence serialized data to instantiate Java Proxy objects via SimpleSocketServer or SimpleSSLSocketServer. Despite the 'RCE' tag in source intelligence, the vendor explicitly states that no practical path to remote code execution or significant privilege escalation has been identified - this is a security boundary bypass of the HardenedObjectInputStream defense mechanism, not a full compromise vector. A proof-of-concept exists (CVSS E:P), though CVSS 4.0 scores the overall risk at 2.9 due to high attack complexity and prerequisite deployment conditions.
Deserialization restriction bypass in QOS.CH Sarl logback-core affects all versions through 1.5.33, allowing unauthenticated network attackers with the ability to influence serialized data to instantiate Java Proxy objects via SimpleSocketServer or SimpleSSLSocketServer. Despite the 'RCE' tag in source intelligence, the vendor explicitly states that no practical path to remote code execution or significant privilege escalation has been identified - this is a security boundary bypass of the HardenedObjectInputStream defense mechanism, not a full compromise vector. A proof-of-concept exists (CVSS E:P), though CVSS 4.0 scores the overall risk at 2.9 due to high attack complexity and prerequisite deployment conditions.