t-gauss
commented
2 years ago At first clance it seems the repository itself is not affected. We use a vulnerable version atm only as transitive dependency of JMeter which is used for performance tests. But I will look into it more thoroughly.
Since this project currently does not have a project lead to handle this disclosure internally I'd like to raise the issue that this project seems to use log4j which has a severe (easy to use) RCE vulnerability that only recent versions of the logger project resolve.
I would assume this project being affected until it is proven otherwise. I've not checked against the specific attack myself though.
Anyone using this project should make sure to implement mitigation strategies against this RCE.