[ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.i... ] Mark Symons commented on SLF4J-451: ----------------------------------- The CVE reports "before 1.8.0-beta2" and "versions up to (including) 1.7.25". Thus... * The "affects version" field in this issue is incorrect. Should be 1.7.25? * The threat is apparently fixed (1.8.0-beta2) * When might 1.8.0 be released? If 1.8.0 is not close, then could perhaps 1.7.26 be released with a fix? The CVE has a CVSS v3.0 Base Score of 9.8

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. -------------------------------------------------------------------------------------------------------------------------------------------------------------------

Key: SLF4J-451 URL: https://jira.qos.ch/browse/SLF4J-451 Project: SLF4J Issue Type: Bug Components: slf4j-ext Affects Versions: 1.8.0-beta2 Environment: Linux  Reporter: Narayan Assignee: SLF4J developers list Labels: logging

More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]

-- This message was sent by Atlassian JIRA (v7.3.1#73012)