[
https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19419#comment-19419
]
Mark Symons commented on SLF4J-451:
-----------------------------------
The CVE reports "before 1.8.0-beta2" and "versions up to (including) 1.7.25".
Thus...
* The "affects version" field in this issue is incorrect. Should be 1.7.25?
* The threat is apparently fixed (1.8.0-beta2)
* When might 1.8.0 be released?
If 1.8.0 is not close, then could perhaps 1.7.26 be released with a fix? The
CVE has a CVSS v3.0 Base Score of 9.8
> org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before
> 1.8.0-beta2 allows remote attackers to bypass intended access restrictions
> via crafted data.
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SLF4J-451
> URL: https://jira.qos.ch/browse/SLF4J-451
> Project: SLF4J
> Issue Type: Bug
> Components: slf4j-ext
> Affects Versions: 1.8.0-beta2
> Environment: Linux
> Reporter: Narayan
> Assignee: SLF4J developers list
> Labels: logging
>
> More details is available in
> [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/detail/CVE-2018-8088#VulnChangeHistorySection]
--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
_______________________________________________
slf4j-dev mailing list
[email protected]
http://mailman.qos.ch/mailman/listinfo/slf4j-dev
