Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-7441

Update Version of (optional) Logback to Address CVE-2021-42550

    XMLWordPrintableJSON

Details

    Description

      CVE-2021-42550 is present in Logback versions 1.2.7 and earlier. Maven (optionally) uses v 1.2.1. Please update to Logback 1.2.9, which includes a fix as per [https://jira.qos.ch/browse/LOGBACK-1591|https://jira.qos.ch/browse/LOGBACK-1591.]

      I see ch.qos.logback 1.2.1 in ./pom.xml and ch.qos.logback without a version specified in ./maven-embedder/pom.xml

      But I'm no expert on this code base so it's possible there are other versioned references.

      Edit: One could argue, as the Logback team has done, that the CVE is unimportant since in order to exploit it one must already have compromised the system. However, security scanners pick this up as an issue, causing unnecessary work and justifications.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MNG-5375 Document use of SLF4J

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #708

          Activity

            People

              cstamas Tamas Cservenak
              machale Mac Hale
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: