Open vitikyalapatii opened 2 years ago
The log4j scanner does not seem to catch log4j-1.2.12.jar ( which is obviously vulnerable )
There is this other scanner that i used, was able to accurately mark this version of log4j jar as vulnerable Scanner Used: https://github.com/hillu/local-log4j-vuln-scanner/releases/tag/v0.13
./local-log4j-vuln-scanner.macosx --quiet /Users/hillu-log4j-scanner-test/ Checking for vulnerabilities: CVE-2019-17571, CVE-2021-44228, CVE-2021-45105 indicator for vulnerable component found in /Users/hillu-log4j-scanner-test/log4j-1.2.12.jar (org/apache/log4j/net/SocketNode.class): SocketNode.class log4j 1.2.12 CVE-2019-17571
Would it be possible to fix the scanner to catch this log4j/ any version that is less than 2.17.0 ?
The log4j scanner does not seem to catch log4j-1.2.12.jar ( which is obviously vulnerable )
There is this other scanner that i used, was able to accurately mark this version of log4j jar as vulnerable Scanner Used: https://github.com/hillu/local-log4j-vuln-scanner/releases/tag/v0.13
./local-log4j-vuln-scanner.macosx --quiet /Users/hillu-log4j-scanner-test/ Checking for vulnerabilities: CVE-2019-17571, CVE-2021-44228, CVE-2021-45105 indicator for vulnerable component found in /Users/hillu-log4j-scanner-test/log4j-1.2.12.jar (org/apache/log4j/net/SocketNode.class): SocketNode.class log4j 1.2.12 CVE-2019-17571
Would it be possible to fix the scanner to catch this log4j/ any version that is less than 2.17.0 ?