{"id":"CVE-2021-42550","details":"In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.","aliases":["GHSA-668q-qrv7-99fm"],"modified":"2026-04-02T07:34:47.111603Z","published":"2021-12-16T19:15:08.297Z","related":["SUSE-SU-2023:2097-1","openSUSE-SU-2024:12026-1","openSUSE-SU-2024:12224-1"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20211229-0001/"},{"type":"ADVISORY","url":"http://logback.qos.ch/news.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Jul/11"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf"},{"type":"FIX","url":"https://jira.qos.ch/browse/LOGBACK-1591"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html"},{"type":"EVIDENCE","url":"https://github.com/cn-panda/logbackRceDemo"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qos-ch/logback","events":[{"introduced":"0"},{"last_affected":"626c7733c188f2ad60c1348a493761f60e2d7958"},{"introduced":"0"},{"last_affected":"9d4cbcc80f30a6c6915f4ee667e72d69a159bde0"},{"introduced":"0"},{"last_affected":"b6dbbba5b7cb97affd9e7ada6d44efc60f859e2d"},{"introduced":"0"},{"last_affected":"9b684f41c07d5ebfecfea1a2c5c6198d47c71ac2"},{"introduced":"0"},{"last_affected":"1f052b53a954bdfa8d893f9906b767821b3af62f"},{"introduced":"0"},{"last_affected":"e23e9c0e12dec801897fa440b2302b01dfa2abce"},{"introduced":"0"},{"last_affected":"241d1e72b0ab24db502068bde5de8f6f562ef157"},{"introduced":"0"},{"last_affected":"364989315c257b2388d17cc757b1bc03f66e3a30"},{"introduced":"0"},{"last_affected":"cfc8247f9215f2aa14715da95b5813393b9c4ada"},{"introduced":"0"},{"last_affected":"40da1f7435acd90f640b0fc0aa5d33894e472731"},{"introduced":"0"},{"last_affected":"d993a7abe495f04ad3bee033ad060711d05830e4"},{"introduced":"0"},{"fixed":"791680229b8644535b7b6e9b1aa8dc5ad1e17e0c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.7"},{"introduced":"0"},{"last_affected":"1.3.0-alpha0"},{"introduced":"0"},{"last_affected":"1.3.0-alpha10"},{"introduced":"0"},{"last_affected":"1.3.0-alpha2"},{"introduced":"0"},{"last_affected":"1.3.0-alpha3"},{"introduced":"0"},{"last_affected":"1.3.0-alpha4"},{"introduced":"0"},{"last_affected":"1.3.0-alpha5"},{"introduced":"0"},{"last_affected":"1.3.0-alpha6"},{"introduced":"0"},{"last_affected":"1.3.0-alpha7"},{"introduced":"0"},{"last_affected":"1.3.0-alpha8"},{"introduced":"0"},{"last_affected":"1.3.0-alpha9"},{"introduced":"0"},{"fixed":"1.0.3"}]}}],"versions":["release-0.2","release-0.2.5","release-0.3","release-0.4","release-0.5","release-0.6","release-0.7","release-0.7.1","release-0.8","release-0.8.1","release-0.9","release-0.9.2","release-0.9.3","release-0.9.4","release_0.9.1","release_0.9.11","release_0.9.14","release_0.9.15","release_0.9.16","release_0.9.17","release_0.9.19","release_0.9.6","release_0.9.8","release_0.9.9","v0.9.18","v0.9.20","v_0.9.21","v_0.9.22","v_0.9.23","v_0.9.24","v_0.9.25","v_0.9.26","v_0.9.27","v_0.9.28","v_0.9.29","v_0.9.30","v_1.0.0","v_1.0.1","v_1.0.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.3.0-alpha1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42550.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}