[ https://issues.apache.org/jira/browse/MNG-7441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519394#comment-17519394 ]
Tamás Cservenák commented on MNG-7441: -------------------------------------- Applied: 3.8.x https://github.com/apache/maven/commit/6189b4810f726e29798fd76c27724e632c465318 3.9.x https://github.com/apache/maven/commit/083423fd50bd5aecc5e1ecf4350a99f30d9acfb3 master https://github.com/apache/maven/commit/d14bb3b8d34723cadd139bc4e5c3e3efdfbf68b8 > Update Version of Logback to Address CVE-2021-42550 > --------------------------------------------------- > > Key: MNG-7441 > URL: https://issues.apache.org/jira/browse/MNG-7441 > Project: Maven > Issue Type: Bug > Components: Dependencies > Affects Versions: 3.8.5 > Reporter: Mac Hale > Assignee: Tamás Cservenák > Priority: Major > Fix For: 3.8.6, 3.9.0, 4.0.0 > > > [CVE-2021-42550|https://nvd.nist.gov/vuln/detail/CVE-2021-42550] is present > in Logback versions 1.2.7 and earlier. Maven uses v 1.2.1. Please update to > Logback 1.2.9, which includes a fix as per > [https://jira.qos.ch/browse/LOGBACK-1591|[https://jira.qos.ch/browse/LOGBACK-1591].] > I see ch.qos.logback 1.2.1 in {{./pom.xml}} and ch.qos.logback without a > version specified in {{./maven-embedder/pom.xml}} > But I'm no expert on this code base so it's possible there are other > versioned references. > Edit: One could argue, as the Logback team has done, that the CVE is > unimportant since in order to exploit it one must already have compromised > the system. However, security scanners pick this up as an issue, causing > unnecessary work and justifications. -- This message was sent by Atlassian Jira (v8.20.1#820001)