ppkarwasz commented on PR #401: URL: https://github.com/apache/commons-logging/pull/401#issuecomment-3448679823
For the reasons explained https://github.com/apache/logging-log4j2/pull/3962#issuecomment-3431696669, CVE-2025-11226 does **not** constitute a genuine vulnerability. The CVE assumes that an attacker can influence Logback configuration, but that requires a level of access that already implies a full system compromise. Specifically, exploitation would require the attacker to: * Control **environment variables or Java system properties**, which means they already control the process launching the JUnit test suite, **or** * Modify the **`logback.xml` configuration file** in this repository, which is writable only by trusted contributors. Both of these inputs are **trusted by design** in logging frameworks and build/test environments. If an attacker can modify them, they already have the ability to run arbitrary code and no additional “vulnerability” exists. Therefore, this CVE is not applicable here and does **not** justify dependency changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
