log4j2-core-2.17.0 is marked as potential vulnerable #151
Assignees
Labels
Comments
ChKemper
changed the title
xeraph
added a commit
that referenced
this issue
Dec 19, 2021
|
@ChKemper Thank you for your patch PR again. :D |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
after applying the latest fixes the log4j-core-2.17.0.jar is marked as potentially vulnerable:
[?] Found CVE-2021-44228 (log4j 2.x) vulnerability in /Users/xgadkem/Downloads/log4j/log4j-core-2.17.0.jar, log4j N/A - potentially vulnerable.
I think the bug is related in class Detector:220 and Detector:176.
When reading the pom.properties of 2.17 there is no version given back. So in line 220 the JAR is marked as mitigrated (because the JndiLookup class existes).
I've made my test with the attatched JAR.
log4j-core-2.17.0.jar.zip
The text was updated successfully, but these errors were encountered: