Giters

eed3si9n / scalaxb

scalaxb is an XML data binding tool for Scala.

Home Page:http://scalaxb.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Migrate to log4j 2.17.1 or newer

LukaszKontowski opened this issue · comments

commented

Current version of log4j - 1.2.17 - has lots of vulnerabilities. Also, Log4j 1 reached End-Of-Life on August 2015. Migrating to some safe log4j 2.x version would be beneficial for the project and for scalaxb users.

Migrate to log4j 2.17.1 or newer.

Example vulnerability findings for 1.2.17:

✗ Man-in-the-Middle (MitM) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-1300176] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342645] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342646] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342647] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-3358774] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available

✗ Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-572732] in log4j:log4j@1.2.17
  introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available