#VU11301 Improper access control in slf4j - CVE-2018-8088


Vulnerability identifier: #VU11301

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-8088

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
slf4j
Universal components / Libraries / Libraries used by multiple products

Vendor: Quality Open Software

Description
The vulnerability allows a remote unauthenticated attacker to bypass access restrictions on the target system.

The weakness exists in the org.slf4j.ext.EventData class due to improper security restrictions. A remote attacker can send specially crafted input, bypass access restrictions and gain unauthorized access to perform further attacks.

Mitigation
Update to version 1.8.0-beta2.

Vulnerable software versions

slf4j: 1.3.0 - 1.7.25

External links
https://jira.qos.ch/browse/SLF4J-430
https://jira.qos.ch/browse/SLF4J-431

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Operational Decision Manager
Multiple vulnerabilities in IBM Secure Proxy
Multiple vulnerabilities in IBM Secure External Authentication Server
Multiple vulnerabilities in Dell PowerStore Family
Multiple vulnerabilities in z/Transaction Processing Facility
Multiple vulnerabilities in Oracle WebLogic Server
Multiple vulnerabilities in Oracle GoldenGate Application Adapters
Multiple vulnerabilities in Red Hat JBoss Data Virtualization
Multiple vulnerabilities in Red Hat Fuse
OpenSUSE Linux update for slf4j