Giters

gaia-app / gaia

Gaia is a Terraform 🌍 UI for your modules, and self-service infrastructure πŸ‘¨β€πŸ’»

Home Page:https://gaia-app.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

πŸ› gaia using a vunerable verison of log4j2

rknechtel opened this issue Β· comments

commented

Describe the bug
After doing an effective-pom I discovered gaia is using a vulnerable version of log4j2.
<log4j2.version>2.13.3</log4j2.version>

To Reproduce
Steps to reproduce the behavior:

  1. run:
    mvn help:effectiv-pom
  2. look for lof4j2.version.
  3. See vulnerable version number.

Expected behavior
log4j2 version should be at lest 2.17.1 or greater.

Additional context
This makes gaia a vulnerable application.

This is version of log4j2 is coming from:

org.springframework.boot
spring-boot-starter-data-mongodb

It will mean gaia will need to updated from Spring Boot 2.4.2 to 2.6.4.

Reference:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core

commented

Yikes!!