CVE-2018-8088
Severity
9.8CRITICAL
EPSS
1.9%
top 16.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 20
Latest updateMay 13
Description
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages12 packages
Also affects: Enterprise Linux 7.4, 7.5, 7.6, 7.7
Patches
🔴Vulnerability Details
4📋Vendor Advisories
5Oracle
▶
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Application Adapters (SLF4J) — CVE-2018-8088↗2020-10-15
Red Hat▶
slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution↗2018-02-22
Debian▶
CVE-2018-8088: libslf4j-java - org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-bet...↗2018
💬Community
3Bugzilla▶
CVE-2018-8088 slf4j-jboss-logmanager: slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution [fedora-all]↗2018-02-28
Bugzilla▶
CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution [fedora-all]↗2018-02-28
Bugzilla▶
CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution↗2018-02-26