openvsx [Vulnerability] log4j-core 2.13.3 in docker image openvsx-server (CVE-2021-45046)

[Vulnerability] log4j-core 2.13.3 in docker image openvsx-server (CVE-2021-45046)

Open amtadev opened this issue 2 years ago • 2 comments

I downloaded and scanned openvsx-server docker image version 72706d1, and found that it has/uses/references log4j-core 2.13.3 which is vulnerable (CVE-2021-45046).

could you confirm if this is actually used within the image? And if yes, are there any plans to update it to >= 2.17.1?

Jun 08 '22 13:06 amtadev

Jun 10 '22 11:06 amtadev

updating spdx-tools to version 2.2.7 should mitigate this issue. It uses log4j 2.17.0.

Jun 10 '22 11:06 amtadev

openvsx openvsx copied to clipboard

[Vulnerability] log4j-core 2.13.3 in docker image openvsx-server (CVE-2021-45046)

openvsx
openvsx copied to clipboard