Skip to content

Update dependency ch.qos.logback:logback-core to v1.5.33 [SECURITY] (master)#914

Open
renovatebot-confluentinc[bot] wants to merge 1 commit into
masterfrom
renovate/master-logback.version
Open

Update dependency ch.qos.logback:logback-core to v1.5.33 [SECURITY] (master)#914
renovatebot-confluentinc[bot] wants to merge 1 commit into
masterfrom
renovate/master-logback.version

Conversation

@renovatebot-confluentinc

@renovatebot-confluentinc renovatebot-confluentinc Bot commented Feb 19, 2026

Copy link
Copy Markdown
Contributor

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ch.qos.logback:logback-core (source, changelog) 1.5.191.5.33 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Logback allows an attacker to instantiate classes already present on the class path

CVE-2026-1225 / GHSA-qqpg-mvqg-649v

More information

Details

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Severity

  • CVSS Score: 1.8 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

CVE-2026-9828 / GHSA-p47f-322f-whfh

More information

Details

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

Severity

  • CVSS Score: 1.2 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Logback allows an attacker to instantiate classes already present on the class path

CVE-2026-1225 / GHSA-qqpg-mvqg-649v

More information

Details

ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.

The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Severity

  • CVSS Score: 1.8 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

CVE-2026-9828 / GHSA-p47f-322f-whfh

More information

Details

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

Severity

  • CVSS Score: 1.2 / 10 (Low)
  • Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@renovatebot-confluentinc renovatebot-confluentinc Bot changed the title chore(deps): update dependency ch.qos.logback:logback-core to v1.5.25 [security] (master) Update dependency ch.qos.logback:logback-core to v1.5.25 [SECURITY] (master) May 6, 2026
@service-bot-app service-bot-app Bot marked this pull request as ready for review June 1, 2026 23:27
@service-bot-app service-bot-app Bot requested a review from a team as a code owner June 1, 2026 23:27
@service-bot-app

Copy link
Copy Markdown
Contributor

Could not automerge PR: CI checks have not passed

@renovatebot-confluentinc renovatebot-confluentinc Bot changed the title Update dependency ch.qos.logback:logback-core to v1.5.25 [SECURITY] (master) Update dependency ch.qos.logback:logback-core to v1.5.33 [SECURITY] (master) Jul 6, 2026
@renovatebot-confluentinc renovatebot-confluentinc Bot force-pushed the renovate/master-logback.version branch from 41a2c33 to c49343e Compare July 6, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants