[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463597#comment-17463597 ]
Srinivasan L commented on MNG-7366: ----------------------------------- Thanks [~mthmulders] got it. But I was curious why Maven is downloading Log4j when no Dependency specified in the Project POM. > Maven downloading log4j version not specified in POM when building the > Project. > ------------------------------------------------------------------------------- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies > Affects Versions: 3.8.4 > Reporter: Srinivasan L > Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)