[JIRA] (SLF4J-451) org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
[ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.i... ] Mark Symons commented on SLF4J-451: -----------------------------------
The vulnerability is actually not critical and not even severe.
It is irrelevent whether the vulnerability is really neither critical nor severe. The CVE states that it is. * That means that vulnerability scanning tools will report this. * Thus, managers will demand explanation. * Even worse, customers who follow [OWASP Component Analysis|https://www.owasp.org/index.php/Component_Analysis] recommendations (specifically, "Contractually require BOMs from vendors") will demand explanation.
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. -------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: SLF4J-451 URL: https://jira.qos.ch/browse/SLF4J-451 Project: SLF4J Issue Type: Bug Components: slf4j-ext Affects Versions: 1.8.0-beta2 Environment: Linux Reporter: Narayan Assignee: SLF4J developers list Labels: logging
More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]
-- This message was sent by Atlassian JIRA (v7.3.1#73012)
participants (1)
-
QOS.CH (JIRA)