search

dakrone / clj-http

An idiomatic clojure http client wrapping the apache client. Officially supported version.
http://clojars.org/clj-http
MIT License
1.77k stars 408 forks source link

Severe security vulnerability in used version of log4j2 #603

Closed anneCarlson closed 2 years ago

anneCarlson commented 2 years ago

A few hours ago, a 0-day exploit in the popular Java logging library log4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string. Version 2.14.1, the version used by the most up to date version of clj-http, is a vulnerable version. Updating the version of log4j2 would close this vulnerability.

KaliszAd commented 2 years ago

Isn't it only in dev? (At least if I understand project.clj correctly.)

anneCarlson commented 2 years ago

Isn't it only in dev? (At least if I understand project.clj correctly.)

You are correct! My mistake. Thanks for looking into it.