mlookaxw
commented
3 months ago The logback-classic library is used for the KeePass plugin only. If you don't need the plugin, just disable the module.
Nevertheless, the receiver component is not used by tool.
I'll provide a new version with updated dependencies.
We're a customer of Axways (I'm having to comment from my personal account), and we were reviewing use of yamles-utils in our container to setup CICD.
We've been notified after building with the latest version of this source that vuln CVE-2023-6378 was found pertaining to logback. It's noted that this only applies if using receivers, and I'm not 100% sure how to validate this package does or does not use them. Is there any way we could get some info on whether this package is actually vulnerable, or if we can provide something to our security team to note it's safe to use?
If it helps, it looks like it's pinging off of "ch.qos.logback/logback-core 1.3.7, and ch.qos.logback/logback-classic 1.3.7"