Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67369

log4j dependency has another vulnerability CVE-2021-45046 in Talend Plugin

XMLWordPrintable

    • 1.14

      See JENKINS-67353, second vulnerability: CVE-2021-45046, requires to update Log4j to 2.16 now.
      This one is less important but will still be detected by scanners and alert all users.

          [JENKINS-67369] log4j dependency has another vulnerability CVE-2021-45046 in Talend Plugin

          Wadeck Follonier created issue -
          Wadeck Follonier made changes -
          Description Original: See JENKINS-67353 New: See JENKINS-67353, second vulnerability: CVE-2021-45046, requires to update Log4j to 2.16 now.
          Wadeck Follonier made changes -
          Priority Original: Critical [ 2 ] New: Major [ 3 ]
          Wadeck Follonier made changes -
          Labels Original: CVE-2021-44228 security New: CVE-2021-45046 security
          Wadeck Follonier made changes -
          Description Original: See JENKINS-67353, second vulnerability: CVE-2021-45046, requires to update Log4j to 2.16 now. New: See JENKINS-67353, second vulnerability: CVE-2021-45046, requires to update Log4j to 2.16 now.
          This one is less important but will still be detected by scanners and alert all users.

          Daniel Beck added a comment -

          I'd also like to note that the plugin is improperly set up for CD, that's why the version number includes "-rc". See https://www.jenkins.io/doc/developer/publishing/releasing-cd/#pom-file-modifications

          Daniel Beck added a comment - I'd also like to note that the plugin is improperly set up for CD, that's why the version number includes "-rc". See https://www.jenkins.io/doc/developer/publishing/releasing-cd/#pom-file-modifications
          Daniel Beck made changes -
          Released As Original: Manual release 1.3

          P Peters added a comment -

          I removed the log4j dependency altogether and I intend to start using CI releases when I solve having a dependency that is not published to maven central.

          P Peters added a comment - I removed the log4j dependency altogether and I intend to start using CI releases when I solve having a dependency that is not published to maven central.

          P Peters added a comment -

          Removed the dependency on log4j altogether

          P Peters added a comment - Removed the dependency on log4j altogether
          P Peters made changes -
          Released As New: 1.14
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Closed [ 6 ]

            afkab P Peters
            wfollonier Wadeck Follonier
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: