Your submission was sent successfully! Close

CVE-2018-8088

Published: 20 March 2018

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
libslf4j-java
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
(1.7.25-3)
cosmic Not vulnerable
(1.7.25-3)
precise Does not exist

trusty Not vulnerable
(slf4j-ext not built in package)
upstream Needs triage

xenial Not vulnerable
(slf4j-ext not built in package)
Patches:
other: https://src.fedoraproject.org/cgit/rpms/slf4j.git/diff/0001-Disallow-EventData-deserialization-by-default.patch?id=d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63