Critical Log4J vulnerability in API codebase #474
Description
Hi,
We have detected that there is an old version of log4j included in the API codebase: log4j-1.2.8.jar at
This version of Log4J is known to contain several important security vulnerabilities most notable:
Major ones:
CVE-2019-17571
Remote code execution via SocketServer
If you are checking out the codebase as part of a docker setup etc or installation as per the Documentation https://helioviewer-project.github.io/install/ you are going to inherit this log4 jar in your installation
It seems the whole distribution of jsunit was added 17 years ago to the source tree. I've not sure if it is really used, and it is a bit unusual to include the complete distribution of an external library in ones own codebase. Maybe it could be removed/cleaned up?
Many thanks,
Jonathan