You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by mi...@solem.cl.INVALID on 2022/10/27 13:00:25 UTC

log4net > Vulnerability > CVE-2021-24112

Hello,

 

In our CI pipeline, we detected vulnerability CVE-2021-24112, which affects
the System.Drawing.Common 5.0.0 package, which is a dependency of log4net
2.0.15.

 

> dotnet list package --vulnerable --include-transitive

   > System.Drawing.Common      5.0.0      Critical
https://github.com/advisories/GHSA-rxg9-xrhp-64gj

 



 

Regards.

Re: log4net > Vulnerability > CVE-2021-24112

Posted by Davyd McColl <da...@gmail.com>.

Good day

Transient dependencies with vulnerabilities are not considered issues with log4net since they are easily updated in the consuming application. We do not release a new version of log4net every time an upstream package is updated either.

-d

On 2022-10-27 15:03:03, miguel.carvajal@solem.cl.invalid <mi...@solem.cl.invalid> wrote:
Hello,

In our CI pipeline, we detected vulnerability CVE-2021-24112, which affects the System.Drawing.Common 5.0.0 package, which is a dependency of log4net 2.0.15.

> dotnet list package --vulnerable --include-transitive
   > System.Drawing.Common      5.0.0      Critical   https://github.com/advisories/GHSA-rxg9-xrhp-64gj [https://github.com/advisories/GHSA-rxg9-xrhp-64gj]

Regards.