[slf4j-dev] [JIRA] (SLF4J-451) org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
QOS.CH (JIRA)
noreply-jira at qos.ch
Tue Dec 25 21:42:00 CET 2018
[ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19386#comment-19386 ]
Igor Stepanov commented on SLF4J-451:
-------------------------------------
Same is reproducible for {{1.7.25}}.
It's detected by {{org.owasp:dependency-check-maven:check}} maven command. We get next output after the check:
{code}
slf4j-api-1.7.25.jar (org.slf4j:slf4j-api:1.7.25, cpe:/a:slf4j:slf4j:1.7.25) : CVE-2018-8088
{code}
> org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SLF4J-451
> URL: https://jira.qos.ch/browse/SLF4J-451
> Project: SLF4J
> Issue Type: Bug
> Components: slf4j-ext
> Affects Versions: 1.8.0-beta2
> Environment: Linux
> Reporter: Narayan
> Assignee: SLF4J developers list
> Labels: logging
>
> More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]
--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
More information about the slf4j-dev
mailing list