You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Srinivasan L (Jira)" <ji...@apache.org> on 2021/12/21 07:43:00 UTC

[jira] [Updated] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.

     [ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Srinivasan L updated MNG-7366:
------------------------------
    Attachment: maven log4j issue.png

> Maven downloading log4j version not specified in POM when building the Project.
> -------------------------------------------------------------------------------
>
>                 Key: MNG-7366
>                 URL: https://issues.apache.org/jira/browse/MNG-7366
>             Project: Maven
>          Issue Type: Bug
>          Components: Artifacts and Repositories, Dependencies
>    Affects Versions: 3.8.4
>            Reporter: Srinivasan L
>            Priority: Critical
>         Attachments: maven log4j issue.png
>
>
> Maven downloading log4j version not specified in POM when building the Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j Vulnerability with Older version. But even after changing the Version Maven is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project. 
> Please help to fix this issue as its a Critical Security Issue.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)