These libs have known security vulnerabilties:
- Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Solution : Update Apache Log4j to version 2.13.2 or later.
- SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor. This may allow a context-dependent attacker to execute arbitrary code.
Solution : Update SLF4J to version 1.7.26 or later.