PT-2018-2981 · Qos.Ch+3 · Slf4J+3

Published

2018-03-20

Updated

2024-06-15

CVE-2018-8088

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SLF4J versions prior to 1.7.26 SLF4J versions prior to 1.8.0-beta2 SLF4J versions 1.8.0-beta2 through 1.8.0-beta3

Description The issue is related to the org.slf4j.ext.EventData component in the slf4j-ext module of the SLF4J library, which allows remote attackers to bypass intended access restrictions via crafted data. This is due to the restoration of an invalid data structure in memory. The estimated number of potentially affected devices is not specified.

Recommendations For SLF4J versions prior to 1.7.26, update to version 1.7.26 or later. For SLF4J versions prior to 1.8.0-beta2, update to version 1.8.0-beta2 or later, but note that versions up to 1.8.0-beta3 are still vulnerable. For SLF4J versions 1.8.0-beta2 through 1.8.0-beta3, update to version 1.8.0-beta4 or later. As a temporary workaround, consider restricting access to the org.slf4j.ext.EventData component until a patch is available.

Fix

Deserialization of Untrusted Data

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-284

Related Identifiers

BDU:2019-03107

CESA-2018_0592

CVE-2018-8088

GHSA-W77P-8CFG-2X43

OPENSUSE-SU-2018_1625-1

OPENSUSE-SU-2024:11386-1

RHSA-2018:0582

RHSA-2018:0592

RHSA-2018:0627

RHSA-2018:0628

RHSA-2018:1247

RHSA-2018:1248

RHSA-2018:1249

RHSA-2018:1448

RHSA-2018:1449

RHSA-2018:1450

RHSA-2018:1451

RHSA-2018:1525

RHSA-2018_0592

SUSE-SU-2018:1744-1

SUSE-SU-2018_1744-1

Affected Products

Centos

Red Hat

Slf4J

Suse

PT-2018-2981 · Qos.Ch+3 · Slf4J+3

CVE-2018-8088

Weakness Enumeration

Related Identifiers

Affected Products

References · 116