[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471184#comment-17471184 ]
Tharanadha K commented on MNG-7366: ----------------------------------- Hi Maarten, I am also facing this issue. Log4J1.2.12 getting downloading in repository through maven default compiler 3.1 even though I upgraded maven compiler plugin to 3.8.1 version. And also I observed from Maven assembly plugin 3.3.0. In our dependencies, we are using log4j-core 2.17.0. Looking for help to resolve this downloading of Log4j1-2-12 in repository as client don't want it. Thank you, > Maven downloading log4j version not specified in POM when building the > Project. > ------------------------------------------------------------------------------- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies > Affects Versions: 3.8.4 > Reporter: Srinivasan L > Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)