GHSA-w77p-8cfg-2x43

Suggest an improvement
Source
https://github.com/advisories/GHSA-w77p-8cfg-2x43
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w77p-8cfg-2x43/GHSA-w77p-8cfg-2x43.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w77p-8cfg-2x43
Aliases
Published
2022-05-13T01:04:09Z
Modified
2024-03-10T05:18:53.885836Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Access Control in SLF4J
Details

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta4 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J version 1.7.26 and later and in the 2.0.x series.

Note that while the fix commit is associated with the tag 1.8.0-beta3, the versions in Maven go directly from 1.8.0-beta2 to 1.8.0-beta4.

Database specific
{
    "nvd_published_at": "2018-03-20T16:29:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T18:51:39Z"
}
References

Affected packages

Maven / org.slf4j:slf4j-ext

Package

Name
org.slf4j:slf4j-ext
View open source insights on deps.dev
Purl
pkg:maven/org.slf4j/slf4j-ext

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.26

Affected versions

1.*

1.0-alpha0
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9.RC1
1.5.9-RC0
1.5.10
1.5.11
1.6.0-alpha2
1.6.0-RC0
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25

Database specific

{
    "last_known_affected_version_range": "<= 1.7.25"
}

Maven / org.slf4j:slf4j-ext

Package

Name
org.slf4j:slf4j-ext
View open source insights on deps.dev
Purl
pkg:maven/org.slf4j/slf4j-ext

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8.0-alpha0
Fixed
1.8.0-beta4

Affected versions

1.*

1.8.0-alpha0
1.8.0-alpha1
1.8.0-alpha2
1.8.0-beta0
1.8.0-beta1
1.8.0-beta2

Database specific

{
    "last_known_affected_version_range": "<= 1.8.0-beta2"
}