[ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17512107#comment-17512107 ]
Michael Osipov commented on MNG-7441: ------------------------------------- I consider the cause with LOGBACK-1591 rather constructed, though I have provided the patch to harden Logback to mute those voices. Maven is not affected since this dependency is optional. > Update Version of Logback to Address CVE-2021-42550 > --------------------------------------------------- > > Key: MNG-7441 > URL: https://issues.apache.org/jira/browse/MNG-7441 > Project: Maven > Issue Type: Bug > Components: Dependencies > Affects Versions: 3.8.5 > Reporter: Mac Hale > Priority: Major > > [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present > in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to > Logback 1.2.9, which includes a fix as per > [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].] > I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a > version specified in {{./maven-embedder/pom.xml}} > But I'm no expert on this code base so it's possible there are other > versioned references. > Edit: One could argue, as the Logback team has done, that the CVE is > unimportant since in order to exploit it one must already have compromised > the system. However, security scanners pick this up as an issue, causing > unnecessary work and justifications. -- This message was sent by Atlassian Jira (v8.20.1#820001)