Current version of log4j - 1.2.17 - has lots of vulnerabilities. Also, Log4j 1 reached End-Of-Life on August 2015. Migrating to some safe log4j 2.x version would be beneficial for the project and for scalaxb users.
Migrate to log4j 2.17.1 or newer.
Example vulnerability findings for 1.2.17:
✗ Man-in-the-Middle (MitM) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-1300176] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342645] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342646] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342647] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-3358774] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-572732] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
Current version of
log4j
- 1.2.17 - has lots of vulnerabilities. Also, Log4j 1 reached End-Of-Life on August 2015. Migrating to some safelog4j
2.x version would be beneficial for the project and forscalaxb
users.Migrate to
log4j
2.17.1 or newer.Example vulnerability findings for 1.2.17: