Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-7366

Maven downloading log4j version not specified in POM when building the Project.

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Patch, Important

    Description

      Maven downloading log4j version not specified in POM when building the Project.

      In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j Vulnerability with Older version. But even after changing the Version Maven is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.

      I'm not seeing these version even in the dependency tree of my Project. 

      Please help to fix this issue as its a Critical Security Issue.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            srini1801 Srinivasan L
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment