[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471184#comment-17471184
]
Tharanadha K commented on MNG-7366:
-----------------------------------
Hi Maarten,
I am also facing this issue. Log4J1.2.12 getting downloading in repository
through maven default compiler 3.1 even though I upgraded maven compiler plugin
to 3.8.1 version. And also I observed from Maven assembly plugin 3.3.0.
In our dependencies, we are using log4j-core 2.17.0.
Looking for help to resolve this downloading of Log4j1-2-12 in repository as
client don't want it.
Thank you,
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
> Attachments: maven log4j issue.png
>
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
