CVE-2018-8088

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 20-03-2018 05:29

Last modified: - 31-01-2022 08:15

Total changes: - 13

Description

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

9.8

Base score

3.9

5.9

Exploitability score

Impact score

Verification logic

vendor=qos AND product=slf4j AND versionEndExcluding=1.7.26

vendor=qos AND product=slf4j AND version=1.8.0 AND update=alpha1

vendor=qos AND product=slf4j AND version=1.8.0 AND update=alpha2

vendor=qos AND product=slf4j AND version=1.8.0 AND update=beta1

vendor=qos AND product=slf4j AND version=1.8.0 AND update=beta2

AND

vendor=Red Hat Enterprise Linux AND product=jboss_enterprise_application_platform AND version=7.1

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=7.0

AND

vendor=Red Hat Enterprise Linux AND product=jboss_enterprise_application_platform AND version=6.4.0

vendor=Red Hat Enterprise Linux AND product=jboss_enterprise_application_platform AND version=6.0.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=5.0

AND

vendor=Red Hat Enterprise Linux AND product=virtualization AND version=4.0

vendor=Red Hat Enterprise Linux AND product=virtualization_host AND version=4.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_desktop AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.5

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_workstation AND version=7.0

vendor=oracle AND product=goldengate_application_adapters AND version=12.3.2.1.0

vendor=oracle AND product=goldengate_stream_analytics AND versionEndExcluding=19.1.0.0.1

vendor=oracle AND product=utilities_framework AND version=4.2.0.2.0

vendor=oracle AND product=utilities_framework AND version=4.2.0.3.0

vendor=oracle AND product=utilities_framework AND version=4.3.0.2.0

vendor=oracle AND product=utilities_framework AND version=4.3.0.3.0

vendor=oracle AND product=utilities_framework AND version=4.3.0.4.0

vendor=oracle AND product=utilities_framework AND version=4.3.0.5.0

vendor=oracle AND product=utilities_framework AND version=4.3.0.6.0

vendor=oracle AND product=utilities_framework AND version=4.4.0.0.0

Reference

https://jira.qos.ch/browse/SLF4J-431
https://jira.qos.ch/browse/SLF4J-430
https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
RHSA-2018:0592-Third Party Advisory
RHSA-2018:0582-Third Party Advisory
RHSA-2018:0630-Third Party Advisory
RHSA-2018:0629-Third Party Advisory
RHSA-2018:0628-Third Party Advisory
RHSA-2018:0627-Third Party Advisory
1040627-Third Party Advisory, VDB Entry
RHSA-2018:1251-Third Party Advisory
RHSA-2018:1249-Third Party Advisory
RHSA-2018:1248-Third Party Advisory
RHSA-2018:1247-Third Party Advisory
103737-Third Party Advisory, VDB Entry
RHSA-2018:1323-Third Party Advisory
RHSA-2018:1525-Third Party Advisory
RHSA-2018:1451-Third Party Advisory
RHSA-2018:1450-Third Party Advisory
RHSA-2018:1449-Third Party Advisory
RHSA-2018:1448-Third Party Advisory
RHSA-2018:1447-Third Party Advisory
RHSA-2018:1575-Third Party Advisory
RHSA-2018:2143-Third Party Advisory
RHSA-2018:2420-Third Party Advisory
RHSA-2018:2419-Third Party Advisory
RHSA-2018:2669-Third Party Advisory
RHSA-2018:2930-Third Party Advisory
[infra-devnull] 20190321 [GitHub] [tika] dadoonet opened pull request #268: Update slf4j to 1.8.0-beta4-Mailing List, Third Party Advisory
[infra-devnull] 20190321 [GitHub] [tika] grossws commented on issue #268: Update slf4j to 1.8.0-beta4-Mailing List, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
RHSA-2019:2413-Third Party Advisory
RHSA-2019:3140-Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088)-Mailing List, Third Party Advisory
[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088)-Mailing List, Third Party Advisory
[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088)-Mailing List, Third Party Advisory
[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Adress: CVE-2018-8088)-Mailing List, Third Party Advisory
[hadoop-common-commits] 20200824 [hadoop] branch trunk updated: HADOOP-17220. Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088). Contributed by Brahma Reddy Battula.-Mailing List, Patch, Third Party Advisory
[hadoop-common-commits] 20200824 [hadoop] branch branch-3.3 updated: HADOOP-17220. Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088). Contributed by Brahma Reddy Battula.-Mailing List, Patch, Third Party Advisory
[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17220) Upgrade slf4j to 1.7.30 ( To Address: CVE-2018-8088)-Mailing List, Third Party Advisory
[logging-notifications] 20200825 [jira] [Commented] (LOG4J2-2329) Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list-Mailing List, Third Party Advisory
[pulsar-commits] 20210127 [GitHub] [pulsar] GLouMcK opened a new issue #9347: Security Vulnerabilities - Black Duck Scan-Mailing List, Third Party Advisory
[iotdb-notifications] 20210325 [jira] [Created] (IOTDB-1258) jcl-over-slf4j have Security Vulnerabilities CVE-2018-8088-
[iotdb-reviews] 20210325 [GitHub] [iotdb] wangchao316 opened a new pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088-
[iotdb-reviews] 20210327 [GitHub] [iotdb] wangchao316 closed pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088-
[iotdb-reviews] 20210327 [GitHub] [iotdb] wangchao316 opened a new pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088-
[zookeeper-dev] 20210327 [jira] [Created] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088-
[zookeeper-issues] 20210327 [jira] [Created] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088-
[zookeeper-issues] 20210327 [jira] [Updated] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088-
[zookeeper-issues] 20210328 [jira] [Commented] (ZOOKEEPER-4264) Apache Zookeeper 3.6.2 - slf4j 1.7.25 has security vulnerability CVE-2018-8088-
[iotdb-commits] 20210328 [iotdb] branch master updated: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088 (#2906)-
[iotdb-reviews] 20210328 [GitHub] [iotdb] HTHou merged pull request #2906: [IOTDB-1258] jcl-over-slf4j have security vulnerabilities CVE-2018-8088-
[flink-dev] 20210720 [jira] [Created] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088-
[flink-issues] 20210721 [jira] [Commented] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088-
[flink-issues] 20210720 [jira] [Created] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088-
[flink-issues] 20210725 [jira] [Commented] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088-
[flink-issues] 20210804 [jira] [Closed] (FLINK-23444) Slf4j 1.7.15 has the high-risk vulnerability CVE-2018-8088-
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.slf4j.org/news.html

Keywords

CVE-2018-8088

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-8088

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures