I have 5 grails servers built on 3.3.2 and they all have this dependency:
--- org.grails:grails-plugin-rest: -> 3.3.2
| --- org.grails:grails-plugin-datasource:3.3.2
| | \--- org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.5.2
CodePudding user response:
Is the Grails 3.3.2 dependency on tomcat-embed-logging-log4j-8.5.2.jar an issue due to recent log4j vulnerabilities?
No. Your app could still have a dependency on something that brings the vulnerability in, but tomcat-embed-logging-log4j-8.5.2.jar
does not.