[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471200#comment-17471200
]
Maarten Mulders commented on MNG-7366:
--------------------------------------
I've said it before, and I'll say it again: a dependency being downloaded and
stored on your filesystem does not do any harm per se.
It _can_ become harmful when that JAR is included in the classpath of a running
system, that is also exposing the vulnerability. Then still, one would need to
assess the _whole_ situation: what traffic hits the system, how is that
vulnerable JAR used, etc. There is no single answer to that question - not for
Maven, not for any other software in the world.
Back to the case of [~tharanadha]. Indeed, the Maven Compiler Plugin 3.1
(transitively) depends on Log4J 1.2.12. Note that the latest version of that
plugin, 3.8.1, no longer has this transitive dependency. But another plugin in
your build may still have such a (transitive) dependency.
> Maven downloading log4j version not specified in POM when building the
> Project.
> -------------------------------------------------------------------------------
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Srinivasan L
> Priority: Critical
> Attachments: maven log4j issue.png
>
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
