[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461325#comment-17461325
]
Srinivasan L commented on MNG-7366:
-----------------------------------
[~mthmulders] I checked the dependency tree and didn't find any transitive
dependency for Log4j older version. so is there any other way to narrow down
this to see from where its getting downloaded?
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
