Outdated log4j-core Detected During Automated CI/CD Scans

Hello! I'd appreciate any help you could provide here

Description: Automated vulnerability scans (Grype) in our CI/CD pipelines have detected that the project is currently depending on an outdated version of log4j-core (2.12.4). The scan flagged [GHSA-vc5p-v9hr-52mj](https://github.com/advisories/GHSA-vc5p-v9hr-52mj) as a medium-severity issue.

Details:

    Vulnerable artifact: log4j-core 2.12.4
    Fixed in: log4j-core 2.25.3
    Severity: Medium
    Reference vulnerability: [GHSA-vc5p-v9hr-52mj](https://github.com/advisories/GHSA-vc5p-v9hr-52mj)
```
Impacted versions: >=2.0-beta9 and <2.25.3
Discovered: 2 days ago
Published: 3 days ago
Path: /opt/apm/elastic-apm-agent.jar
```


Steps to Reproduce:

    Run a vulnerability scan against the built artifact using tools such as Grype
    Observe the detected vulnerability for log4j-core

Expected Behavior: No vulnerabilities at medium severity or above should be detected in dependency scans.

Thanks in advance :) 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Outdated log4j-core Detected During Automated CI/CD Scans #4346

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Outdated log4j-core Detected During Automated CI/CD Scans #4346

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions