Srinivasan L created MNG-7366:
---------------------------------
Summary: Maven downloading log4j version not specified in POM when
building the Project.
Key: MNG-7366
URL: https://issues.apache.org/jira/browse/MNG-7366
Project: Maven
Issue Type: Bug
Components: Artifacts and Repositories, Dependencies
Affects Versions: 3.8.4
Reporter: Srinivasan L
Maven downloading log4j version not specified in POM when building the Project.
In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
Vulnerability with Older version. But even after changing the Version Maven is
downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
I'm not seeing these version even in the dependency tree of my Project.
Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
