[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460542#comment-17460542
]
Maarten Mulders commented on MNG-7366:
--------------------------------------
This is not a bug in Maven. Your project probably has a transitive dependency
on Log4J 1.x. You can inspect all dependencies with {{mvn dependency:tree}}. In
the output, look for {{log4j:log4j:1.2.12}} or {{log4j:log4j:1.2.17}} and see
which dependencies of your project cause this older version to be downloaded.
Be aware that the log file of Maven may also mention downloading plugins and
their dependencies. Those will not end up in your project build.
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
