We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
大佬,你好,我是@abbykimi,我IDE运行您这个项目的时候,提示有几个漏洞,项目调用了org.apache.logging.log4j:log4j-core等9个开源组件,存在6个安全漏洞,建议你升级下。
漏洞标题:Apache Log4j2 < 2.15.0远程代码执行漏洞 漏洞编号:CVE-2021-44228 漏洞描述: Apache log4j是java中常用的日志记录组件,攻击者发现在小于2.15.0的版本中存在远程代码执行漏洞。 漏洞原因: 由于log4j2默认支持JNDI在内的Lookup查找机制,当日志内容中包含${foo.bar}样式的内容时,会查找相应的值进行替换。因此当用户请求中的内容通过log4j作为日志内容记录时,攻击者可能通过恶意构造的内容,触发log4j的lookup方法,进而执行恶意代码。 影响范围:[2.4, 2.12.3) 最小修复版本:2.12.3 引入路径: cn.edu.thu:[email protected]>org.apache.logging.log4j:[email protected]
另外5个漏洞 ,信息有点多我就不贴了,你自己看下完整报告:https://www.mfsec.cn/jr?p=ia6e20
如果你对这个issues有任何疑问可以回复我哈( @abbykimi ),我会及时回复你的。
The text was updated successfully, but these errors were encountered:
has merged #2 #3 #4 #6
Sorry, something went wrong.
No branches or pull requests
大佬,你好,我是@abbykimi,我IDE运行您这个项目的时候,提示有几个漏洞,项目调用了org.apache.logging.log4j:log4j-core等9个开源组件,存在6个安全漏洞,建议你升级下。
另外5个漏洞 ,信息有点多我就不贴了,你自己看下完整报告:https://www.mfsec.cn/jr?p=ia6e20
如果你对这个issues有任何疑问可以回复我哈( @abbykimi ),我会及时回复你的。
The text was updated successfully, but these errors were encountered: