SYNC-2021-2610 - Denial of Service (DoS)
Severity: Low2021-12-10
Abstract
The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. An attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references.
The Oxygen Feedback product incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback 1.4.3 and older | Low | Oxygen Feedback 1.4.4 build 2021062217 |
Detail
SYNC-2021-2610
Severity: High
CVSS Score: 8.6
The logback-core third-party library used by Oxygen Feedback product is an affected version mentioned in SYNC-2021-2610 vulnerability description. However, Oxygen Feedback does not accept XML data as user input. Therefore Oxygen Feedback product is not impacted by SYNC-2021-2610.
Starting with Oxygen Feedback version 1.4.4, the logback-core was updated to version 1.2.6, which includes a fix for SYNC-2021-2610.