logback-core-1.5.18.jar: 1 vulnerabilities (highest severity is: 6.9)

[mend-bolt-for-github]

Vulnerable Library - logback-core-1.5.18.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /dgrv4_Common_lib/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (logback-core version)	Remediation Possible**
CVE-2025-11226	Medium	6.9	logback-core-1.5.18.jar	Direct	1.5.19	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-11226

Vulnerable Library - logback-core-1.5.18.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /dgrv4_Common_lib/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.18/6c0375624f6f36b4e089e2488ba21334a11ef13f/logback-core-1.5.18.jar

Dependency Hierarchy:

• ❌ logback-core-1.5.18.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Publish Date: 2025-10-01

URL: CVE-2025-11226

CVSS 3 Score Details (6.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-10-01

Fix Resolution: 1.5.19

Step up your Open Source Security Game with Mend here