CVE-2018-8088
Published: 20 March 2018
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
Priority
Medium
CVSS 3 base score: 9.8
Status
| Package | Release | Status |
|---|---|---|
|
libslf4j-java Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
| bionic |
Not vulnerable
(1.7.25-3)
|
|
| cosmic |
Not vulnerable
(1.7.25-3)
|
|
| precise |
Does not exist
|
|
| trusty |
Not vulnerable
(slf4j-ext not built in package)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(slf4j-ext not built in package)
|
Notes
| Author | Note |
|---|---|
| leosilva | fix provided by upstream seems not to fix, instead use fix provide by Fedora. class was removed in bionic |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088
- https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
- https://jira.qos.ch/browse/SLF4J-430
- https://jira.qos.ch/browse/SLF4J-431
- NVD
- Launchpad
- Debian