SYNC-2021-2610 - Denial of Service (DoS)

Severity: Low2021-12-10

Security Advisories


The logback-core package is vulnerable to XML eXternal Entity (XXE) attacks. An attacker can exploit this vulnerability by supplying XML data with a Document Type Definition (DTD) that contains malicious external entity references.

The Oxygen Feedback product incorporates the logback-core as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4.3 and olderLow Oxygen Feedback 1.4.4 build 2021062217





Severity: High

CVSS Score: 8.6

The logback-core third-party library used by Oxygen Feedback product is an affected version mentioned in SYNC-2021-2610 vulnerability description. However, Oxygen Feedback does not accept XML data as user input. Therefore Oxygen Feedback product is not impacted by SYNC-2021-2610.

Starting with Oxygen Feedback version 1.4.4, the logback-core was updated to version 1.2.6, which includes a fix for SYNC-2021-2610.

List of Security Advisories