“play-samples” project uses the vulnerable log4j library (2.17.0). This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 (Remote Code Execution). Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version.
You can see the version of the used log4j library from this file:
val log4jVersion = "2.17.0"
lazy val root = (project in file("."))
.enablePlugins(PlayScala)
.disablePlugins(PlayLogback)
.settings(
name := """play-scala-log4j2-example""",
version := "1.0-SNAPSHOT",
scalaVersion := "2.13.6",
libraryDependencies ++= Seq(
guice,
"org.apache.logging.log4j" % "log4j-slf4j-impl" % log4jVersion,
"org.apache.logging.log4j" % "log4j-api" % log4jVersion,
"org.apache.logging.log4j" % "log4j-core" % log4jVersion,
"org.scalatestplus.play" %% "scalatestplus-play" % "5.0.0" % Test,
),
scalacOptions ++= Seq(
"-feature",
"-deprecation",
"-Xfatal-warnings"
)
)
This vulnerable library can cause Remote Code Execution vulnerability on the “play-samples” project. You should upgrade this library.