VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 20, 2018· Updated Aug 5, 2024

CVE-2018-8088

CVE-2018-8088

Description

SLF4J EventData in slf4j-ext allows remote bypass of access restrictions via crafted data; fixed in 1.7.26 and 2.0.x.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SLF4J EventData in slf4j-ext allows remote bypass of access restrictions via crafted data; fixed in 1.7.26 and 2.0.x.

Vulnerability

The vulnerability resides in the org.slf4j.ext.EventData class within the slf4j-ext module of QOS.CH SLF4J. Versions prior to 1.8.0-beta2 are affected. The issue allows a remote attacker to bypass intended access restrictions by supplying crafted data. The flaw was confirmed in the SLF4J project and has been addressed in SLF4J versions 1.7.26 and later, as well as in the 2.0.x series [3]. Red Hat also published security updates for JBoss Enterprise Application Platform (EAP) 6.4 on RHEL 5, 6, and 7 to address this vulnerability [1][2][4].

Exploitation

An attacker with network access can craft data that, when processed by the vulnerable EventData functionality, bypasses intended access controls. The exploitation requires no prior authentication; the attacker merely needs to submit the malicious data to an application that uses the vulnerable slf4j-ext module. The exact mechanics of the bypass are not detailed in the public references, but the attack surface involves any component that logs or processes untrusted input through EventData.

Impact

Successful exploitation allows an attacker to bypass intended access restrictions. This could result in unauthorized access to protected resources, elevation of privileges, or exposure of sensitive information. The exact impact depends on the application's access control model, but the core consequence is the circumvention of security checks implemented by the application.

Mitigation

The vulnerability is fixed in SLF4J versions 1.7.26 and 2.0.x [3]. Users should upgrade to these or later versions. For JBoss EAP 6.4, Red Hat provided updates via RHSA-2018:1450 (RHEL 5), RHSA-2018:1448 (RHEL 7), and RHSA-2018:1449 (RHEL 6) [1][2][4]. No workaround is mentioned in the available references; applying the patch is the recommended action.

References
  1. https://access.redhat.com/errata/RHSA-2018:1450
  2. https://access.redhat.com/errata/RHSA-2018:1448
  3. SLF4J News
  4. https://access.redhat.com/errata/RHSA-2018:1449

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.slf4j:slf4j-extMaven
< 1.7.261.7.26
org.slf4j:slf4j-extMaven
>= 1.8.0-alpha0, < 1.8.0-beta41.8.0-beta4

Affected products

8

Patches

1
d2b27fba88e9

fix SLF4J-431

https://github.com/qos-ch/slf4jCeki GulcuMar 14, 2018via ghsa
commit
1 file changed · +2 0
  • slf4j-ext/src/main/java/org/slf4j/ext/EventData.java+2 0 modified
    @@ -40,6 +40,8 @@
  * event. Users may extend this class for each EventType they want to log.
  * 
  * @author Ralph Goers
+ * 
+ * @deprecated Due to a security vulnerability, this class will be removed without replacement.
  */
 public class EventData implements Serializable {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

93

News mentions

0

No linked articles in our index yet.