Hello Arend,

This is a false positive: MIME4J USES log4j only for testing.

Regards,

Benoit

On 11/02/2022 04:16, Arend v. Reinersdorff wrote:
Hello,

the Maven Dependency Check plugin reports a number of CVEs for
apache-mime4j-core-0.8.4.jar:
- CVE-2021-38542
- CVE-2021-40110
- CVE-2021-40111
- CVE-2021-40525

These were recently fixed in Apache James 3.6.1:
https://james.apache.org/james/update/2021/12/02/james-3.6.1.html

But I'm not sure how this relates to Mime4J. Is Mime4J still affected or
are the reports false positives?

Best regards,
Arend

Reply via email to