logback / LOGBACK-1593 [Open] sessionViaJNDI function of SMTPAppender may suffers from jndi injections ============================== Here's what changed in this issue in the last few minutes. This issue has been created This issue is now assigned to you. View or comment on issue using this link https://jira.qos.ch/browse/LOGBACK-1593 ============================== Issue created ------------------------------ Diggid created this issue on 16/Dec/21 6:49 AM Summary: sessionViaJNDI function of SMTPAppender may suffers from jndi injections Issue Type: Bug Assignee: Logback dev list Attachments: poc.pdf Components: logback-classic, logback-core Created: 16/Dec/21 6:49 AM Labels: smtpappender Priority: Critical Reporter: Diggid Description: Hello friend! Similar to [CVE-2021-4104|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104], in logback's SMTPAppender, it is possible to override the configuration to enable sessionViaJNDI and specify jndiLocation as a malicious jndi server, leading to jndi injection and even RCE. more details in the attached pdf ============================== This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59)