Closed anneCarlson closed 2 years ago
A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. Version 2.14.1, the version used by the most up to date version of clj-http, is a vulnerable version. Updating the version of log4j2 would close this vulnerability.
Isn't it only in dev? (At least if I understand project.clj correctly.)
You are correct! My mistake. Thanks for looking into it.
A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. Version 2.14.1, the version used by the most up to date version of clj-http, is a vulnerable version. Updating the version of log4j2 would close this vulnerability.