Log4j module usage

Question

astra-OCE opened this issue 3 years ago · 3 comments

astra-OCE commented 3 years ago

Exploit

N/A

N/A

compileOnly 'org.apache.logging.log4j:log4j-core:2.0-beta9' - contains active vulnerability with the log4j 2.x only seen within only discord module.

?push to compileOnly: 'org.apache.logging.log4j:log4j-core:2.15.0'

N/A

N/A

N/A

JRoy · Answer 1 · 2021-12-10T15:29:43.000Z

Essentials doesn't compile log4j, just uses it's API. I will bump the log4j version however as most server versions have bumped it as well.

astra-OCE · Answer 2 · 2021-12-10T15:37:33.000Z

sounds good

triagonal · Answer 3 · 2021-12-12T10:11:46.000Z

Resolved in #4677.