Skip to content

Dependency org.apache.logging.log4j:log4j-core has multiple CVE against it #11

Open
Open
Dependency org.apache.logging.log4j:log4j-core has multiple CVE against it#11
@jairmyree

Description

@jairmyree
jairmyree
opened on Feb 16, 2023

The latest release of classif takes dependency on org.apache.logging.log4j:log4j-core:jar:2.11.2 which has multiple direct CVEs against it.
This CVEs are being passed into the latest release of org.revapi:revapi-java (version 0.28.0).
Please release a version with the dependency org.apache.logging.log4j:log4j-core upgraded to version 2.17.1 or greater where these direct CVEs have been resolved.

I'm linking here the issue that I've opened with revapi as well.
revapi/revapi#284

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions