[slf4j-dev] [JIRA] (SLF4J-451) org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.

QOS.CH (JIRA) noreply-jira at qos.ch
Tue Feb 5 15:00:00 CET 2019


    [ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19422#comment-19422 ] 

Kevin Wilson commented on SLF4J-451:
------------------------------------

>> It is irrelevent whether the vulnerability is really neither critical nor severe.

Agreed!!! Very nice account as to why this bug should be fixed and soon! Also, the primary maintainers need to include vulnerability scanning in their build pipeline to catch things like this before they are committed. The open source tools to have your code scanned on every build exists and are quite good, you simply have to use them.

> org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLF4J-451
>                 URL: https://jira.qos.ch/browse/SLF4J-451
>             Project: SLF4J
>          Issue Type: Bug
>          Components: slf4j-ext
>    Affects Versions: 1.8.0-beta2
>         Environment: Linux 
>            Reporter: Narayan
>            Assignee: SLF4J developers list
>              Labels: logging
>
> More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]



--
This message was sent by Atlassian JIRA
(v7.3.1#73012)


More information about the slf4j-dev mailing list