Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.6
-
None
-
None
Description
Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which possesses security concerns:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Users are advised to migrate to `org.apache.logging.log4j:log4j-core` remediation: No fix is known for this vulnerability"
The latest Scalatra 2.7.1 version no longer depends on this dangerous library