CVE-2023-6378 - Denial of Service (DoS)
Severity: None2024-01-19
Abstract
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
The Oxygen products incorporate logback as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen XML Author v26.0 | None | Oxygen XML Author 26.1 build 2024031806 |
| Oxygen XML Developer v26.0 | None | Oxygen XML Developer 26.1 build 2024031806 |
| Oxygen XML Editor v26.0 | None | Oxygen XML Editor 26.1 build 2024031806 |
| Oxygen JSON Editor v26.0 | None | Oxygen XML Editor 26.1 build 2024031806 |
| Oxygen Content Fusion v6.0 and older | None | N/A |
| Oxygen XML Web Author v26.0.0 and older | None | Oxygen Web Author 26.1.0 build 2024032115 |
| Oxygen Feedback v4.0 and older | None | Oxygen Feedback 4.1 build 2024013118 |
| Oxygen PDF Chemistry v26.0 and older | None | Oxygen PDF Chemistry 26.1 build 2024031515 |
| Oxygen Publishing Engine v26.0 and older | None | Oxygen Publishing Engine 26.1 build 2024031515 |
| Oxygen License Server v26.0 and older | None | Oxygen License Server v26.1 build 2024031513 |
Detail
CVE-2023-6378
Severity: High
CVSS Score: 7.5
The logback third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-6378 vulnerability description. However, Oxygen XML products do not use receiver component part of logback. For that reason, Oxygen XML products are not affected by this vulnerability.
Revision History
2024-03-29 Starting with Oxygen XML Author version 26.1 build 2024031806, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen XML Developer version 26.1 build 2024031806, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen XML Editor version 26.1 build 2024031806, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen JSON Editor version 26.1 build 2024031806, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen XML Web Author version 26.1.0 build 2024032115, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen PDF Chemistry version 26.1 build 2024031515, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen Publishing Engine version 26.1 build 2024031515, the logback was updated to a new version which includes a fix for CVE-2023-6378.
2024-03-29 Starting with Oxygen License Server version 26.1 build 2024031513, the logback was updated to a new version which includes a fix for CVE-2023-6378.
