Logback Java Library Exposed to SSRF via XML Configuration Tampering (CVE-2024-12801)

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely-used Logback logging library for Java, exposing applications to potential internal network probing and request forgery attacks. The flaw, tracked as CVE-2024-12801 and rated with medium severity, resides in the `SaxEventRecorder` component. It affects a broad range of Logback versions, from 0.1 through 1.3.14 and from 1.4.0 through 1.5.12, making numerous deployments potentially vulnerable.

The core of the vulnerability lies in the processing of Logback's XML configuration files. An attacker who can compromise or modify these configuration files can insert a malicious DOCTYPE declaration. This manipulation allows the attacker to forge requests from the vulnerable application server, potentially targeting internal systems that would otherwise be inaccessible from the external network. The specific vulnerable library component is `logback-core`, as identified in instances like version 0.9.29.jar.

This SSRF flaw presents a significant risk to any Java application using a vulnerable version of Logback where the XML configuration is not strictly secured. It underscores the critical need to protect configuration files from unauthorized modification. Developers and security teams must prioritize updating to patched versions of Logback beyond 1.3.14 or 1.5.12, and review access controls on all application configuration assets to mitigate this server-side threat.