search

google / log4jscanner

A log4j vulnerability filesystem scanner and Go package for analyzing JAR files.
Apache License 2.0
1.57k stars 120 forks source link

False negative for old libraries version #51

Open nikaiw opened 2 years ago

nikaiw commented 2 years ago

Current detection strategy will ignore jar which do not contain jndimanager. Because of this it is missing the following vulnerables libraries:

log4j-core-2.0-beta9.jar log4j-core-2.0-rc1.jar log4j-core-2.0-rc2.jar log4j-core-2.0.1.jar log4j-core-2.0.2.jar log4j-core-2.0.jar

Edit: Hm seeing #45 I understand this is also accepted behavior for now.

singlethink commented 2 years ago

This was fixed by https://github.com/google/log4jscanner/pull/54