[
https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herve Boutemy updated MNG-7441:
-------------------------------
Description:
[CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in
Logback versions 1.2.7 and earlier. Maven (optionally) uses v 1.2.1. Please
update to Logback 1.2.9, which includes a fix as per
[https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a
version specified in {{./maven-embedder/pom.xml}}
But I'm no expert on this code base so it's possible there are other versioned
references.
Edit: One could argue, as the Logback team has done, that the CVE is
unimportant since in order to exploit it one must already have compromised the
system. However, security scanners pick this up as an issue, causing
unnecessary work and justifications.
was:
[CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present in
Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to
Logback 1.2.9, which includes a fix as per
[https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a
version specified in {{./maven-embedder/pom.xml}}
But I'm no expert on this code base so it's possible there are other versioned
references.
Edit: One could argue, as the Logback team has done, that the CVE is
unimportant since in order to exploit it one must already have compromised the
system. However, security scanners pick this up as an issue, causing
unnecessary work and justifications.
> Update Version of (optional) Logback to Address CVE-2021-42550
> --------------------------------------------------------------
>
> Key: MNG-7441
> URL: https://issues.apache.org/jira/browse/MNG-7441
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.5
> Reporter: Mac Hale
> Assignee: Tamás Cservenák
> Priority: Major
> Fix For: 3.8.6, 3.9.0, 4.0.0-alpha-1, 4.0.0
>
>
> [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present
> in Logback versions 1.2.7 and earlier. Maven (optionally) uses v 1.2.1.
> Please update to Logback 1.2.9, which includes a fix as per
> [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].]
> I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a
> version specified in {{./maven-embedder/pom.xml}}
> But I'm no expert on this code base so it's possible there are other
> versioned references.
> Edit: One could argue, as the Logback team has done, that the CVE is
> unimportant since in order to exploit it one must already have compromised
> the system. However, security scanners pick this up as an issue, causing
> unnecessary work and justifications.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
