[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461325#comment-17461325
]
Srinivasan L edited comment on MNG-7366 at 12/17/21, 10:18 AM:
---------------------------------------------------------------
[~mthmulders] I checked the dependency tree and didn't find any transitive
dependency for Log4j older version. so is there any other way to narrow down
this to see why/where maven is downloading older version?
was (Author: JIRAUSER282037):
[~mthmulders] I checked the dependency tree and didn't find any transitive
dependency for Log4j older version. so is there any other way to narrow down
this to see from why/where maven is downloading older version?
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
