[slf4j-dev] [JIRA] (SLF4J-451) org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.

QOS.CH (JIRA) noreply-jira at qos.ch
Mon Feb 18 22:19:00 CET 2019


    [ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19431#comment-19431 ] 

Nathan Jensen commented on SLF4J-451:
-------------------------------------

Thank you for fixing the CVE for 1.7 branch.  Even though it did not apply to our project, it showed up in security scans and required explanations to managers about how it did not affect our project.  I received the email that 1.7.26 is available but it does not appear to be on the downloads page or maven central.  Can you please update those locations to provide 1.7.26?  Thank you.

> org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLF4J-451
>                 URL: https://jira.qos.ch/browse/SLF4J-451
>             Project: SLF4J
>          Issue Type: Bug
>          Components: slf4j-ext
>    Affects Versions: 1.8.0-beta2
>         Environment: Linux 
>            Reporter: Narayan
>            Assignee: SLF4J developers list
>              Labels: logging
>
> More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]



--
This message was sent by Atlassian JIRA
(v7.3.1#73012)


More information about the slf4j-dev mailing list