[MNG-7366] Maven downloading log4j version not specified in POM when building the Project. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Invalid
Affects Version/s: 3.8.4
Fix Version/s: None
Component/s: Artifacts and Repositories, Dependencies
Labels:
None

Flags:

Patch, Important
Language:
- Java

Description

Maven downloading log4j version not specified in POM when building the Project.

In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j Vulnerability with Older version. But even after changing the Version Maven is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.

I'm not seeing these version even in the dependency tree of my Project.

Please help to fix this issue as its a Critical Security Issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2022-01-10-11-18-51-317.png
10/Jan/22 05:48
192 kB
Tharanadha K
maven log4j issue.png
21/Dec/21 07:42
53 kB
Srinivasan L

Issue Links

is duplicated by

MNG-7387 Log4j1.2.12 dependency is getting downloading from Maven Project

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Srinivasan L

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Dec/21 09:49

Updated:: 10/Jan/22 08:14

Resolved:: 16/Dec/21 09:58