[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471664#comment-17471664
]
Tharanadha K commented on MNG-7366:
-----------------------------------
Thanks for Maarten. I am getting log4j1.2.12 downloading even though there is
no plug-ins and dependencies added in my POM.xml. It's automatically taking
maven-dependency-plugin 2.8 and getting downloading. (please see attachment).
Is there any solution as my client don't want this downloading.
Thank you in Advance
!image-2022-01-10-11-18-51-317.png!
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
> Attachments: image-2022-01-10-11-18-51-317.png, maven log4j issue.png
>
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
