EssentialsX

EssentialsX

2M Downloads

Log4j module usage

astra-OCE opened this issue ยท 3 comments

commented

Type of bug

Exploit

/ess dump all output

N/A

Error log (if applicable)

N/A

Bug description

compileOnly 'org.apache.logging.log4j:log4j-core:2.0-beta9' - contains active vulnerability with the log4j 2.x only seen within only discord module.

?push to compileOnly: 'org.apache.logging.log4j:log4j-core:2.15.0'

Steps to reproduce

N/A

Expected behaviour

N/A

Actual behaviour

N/A

commented

Essentials doesn't compile log4j, just uses it's API. I will bump the log4j version however as most server versions have bumped it as well.

commented

sounds good

commented

Resolved in #4677.