Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-842

shiro-web depends on older log4j

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Major
    • Resolution: Resolved
    • 1.8.0
    • 2.0.0-alpha, 1.9.0
    • Web
    • None

    Description

      shiro-web has a very old log4j dependency  (log4j:log4j)

      Snyk is reporting as a critical security issue (not sure it's actually is)

      Shiro should upgrade to the latest 1.x (or 2.x) if necessary

      Attachments

        Issue Links

          is duplicated by

          Question - A formal question. Initially added for the Legal JIRA. SHIRO-847 Log4j 1.x 版本的CVE-2022-23302/23305/23307在Apache Shiro 1.8.0版本是否受影响

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed
          links to

          Web Link GitHub Pull Request #335

          Activity

            People

              bmarwell Benjamin Marwell
              lprimak Lenny Primak
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m