[
https://issues.apache.org/jira/browse/KAFKA-20206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krishna Chidrawar resolved KAFKA-20206.
---------------------------------------
Resolution: Not A Bug
> [CVE-2026-1225] [logback-core] [1.5.15] | Kafka
> -----------------------------------------------
>
> Key: KAFKA-20206
> URL: https://issues.apache.org/jira/browse/KAFKA-20206
> Project: Kafka
> Issue Type: Bug
> Reporter: Krishna Chidrawar
> Priority: Critical
>
> CE vulnerability in configuration file processing by QOS.CH logback-core up
> to and including version 1.5.24 in Java applications, allows an attacker to
> instantiate classes already present on the class path by compromising an
> existing logback configuration file.
> The instantiation of a potentially malicious Java class requires that said
> class is present on the user's class-path. In addition, the attacker must
> have write access to a
> configuration file. However, after successful instantiation, the instance is
> very likely to be discarded with no further ado.
> *NVD URL :* [https://nvd.nist.gov/vuln/detail/CVE-2026-1225]
> *Fix Version :* 1.5.25
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
