zaproxy contains log4j exploit code

Open BustedSec opened this issue 3 years ago • 1 comments

2022-09-20 06_23_49-Window The version of ZAP installed is behind the master branch that addressed this

References: https://www.blumira.com/analysis-log4shell-local-trigger/ https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

https://github.com/zaproxy/zaproxy/pull/6979. https://github.com/zaproxy/zaproxy/issues/6980

Unsure what magic was done, but the magic needs updating to the most recent URL to pull a newer version via wget.

Sep 20 '22 13:09 BustedSec

Old issue, but no longer needs to be addressed as the latest Zaproxy release uses log4j 2.20.0 per bom.json .

ref: https://github.com/zaproxy/zaproxy/releases/tag/v2.15.0

Sep 28 '24 04:09 0xv1n