Hi, as I quickly scanned the source code of JabRef on GitHub for log4j, I found some mentions in it.
I would like to know, if the usage of the log4j library within JabRef makes JabRef vulnerable for any attacks. If so, what should I do? Unistall it till an update is out without log4j?
Cheers
Hi,
JabRef uses log4j Snapshot 3.x and is not vulnerable and JabRef. Despite this, JabRef is a local application, not connected to a web server and does not log any input related to this.
Regards
1 Like
Hi Christoph,
thank you very much for the clarification.
Best regards
Yes, Christopher, thanks for answering this question.
We also took this as an opportunity to completely remove the log4j dependency. The next release (coming today or in the next days) will no longer include log4j.
1 Like
Thank you very much for all your effort and the transparency! It’s very nice of you to keep us in the loop.
Best regards
1 Like