CVE-2018-8088
Published: 20 March 2018
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
Priority
Medium
CVSS 3 base score: 9.8
Status
| Package | Release | Status |
|---|---|---|
|
libslf4j-java Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
| bionic |
Not vulnerable
(1.7.25-3)
|
|
| cosmic |
Not vulnerable
(1.7.25-3)
|
|
| precise |
Does not exist
|
|
| trusty |
Not vulnerable
(slf4j-ext not built in package)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(slf4j-ext not built in package)
|
|
|
Patches: other: https://src.fedoraproject.org/cgit/rpms/slf4j.git/diff/0001-Disallow-EventData-deserialization-by-default.patch?id=d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63 |
||
Notes
| Author | Note |
|---|---|
| leosilva | fix provided by upstream seems not to fix, instead use fix provide by Fedora. class was removed in bionic |