Hello Arend, This is a false positive: MIME4J USES log4j only for testing.
Regards, Benoit On 11/02/2022 04:16, Arend v. Reinersdorff wrote:
Hello, the Maven Dependency Check plugin reports a number of CVEs for apache-mime4j-core-0.8.4.jar: - CVE-2021-38542 - CVE-2021-40110 - CVE-2021-40111 - CVE-2021-40525 These were recently fixed in Apache James 3.6.1: https://james.apache.org/james/update/2021/12/02/james-3.6.1.html But I'm not sure how this relates to Mime4J. Is Mime4J still affected or are the reports false positives? Best regards, Arend