CVEs in the execution path imported by dependencies

Hello, Your project are using some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project. To prevent potential security risks it may cause, I suggest to update the library dependency. Please look into the details below.

• Vulnerable Dependency: org.slf4j : slf4j-ext : 1.7.25

• Call Chain to Buggy Methods:

• • Some files in your project call the library method org.slf4j.ext.EventData.getMessage(), which can reach the buggy method of CVE-2018-8088.

• • • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

• • • One of the possible call chain:
      org.slf4j.ext.EventData.getMessage() [buggy method]
  • Some files in your project call the library method org.slf4j.ext.EventData.getEventMap(), which can reach the buggy method of CVE-2018-8088.

• • • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

• • • One of the possible call chain:
      org.slf4j.ext.EventData.getEventMap() [buggy method]
  • Some files in your project call the library method org.slf4j.ext.EventData.getEventType(), which can reach the buggy method of CVE-2018-8088.

• • • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

• • • One of the possible call chain:
      org.slf4j.ext.EventData.getEventType() [buggy method]
  • Some files in your project call the library method org.slf4j.ext.EventData.getEventId(), which can reach the buggy method of CVE-2018-8088.

• • • Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

• • • One of the possible call chain:
      org.slf4j.ext.EventData.getEventId() [buggy method]
  • Update suggestion: version 1.8.0-beta2 1.8.0-beta2 is a safe version without CVEs. From 1.7.25 to 1.8.0-beta2, the APIs used in your project have not changed.