Krishna Chidrawar created KAFKA-20206:
-----------------------------------------
Summary: [CVE-2026-1225] [logback-core] [1.5.15] | Kafka
Key: KAFKA-20206
URL: https://issues.apache.org/jira/browse/KAFKA-20206
Project: Kafka
Issue Type: Bug
Reporter: Krishna Chidrawar
CE vulnerability in configuration file processing by QOS.CH logback-core up to
and including version 1.5.24 in Java applications, allows an attacker to
instantiate classes already present on the class path by compromising an
existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said
class is present on the user's class-path. In addition, the attacker must have
write access to a
configuration file. However, after successful instantiation, the instance is
very likely to be discarded with no further ado.
*NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-1225]
*Fix Version :* 1.5.25
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
