CVE-2021-44228 is not really published on #nvd yet (still under analysis).
nvd.nist.gov/vuln/detail/CV
A quick search on osv with the CVE ID is therefore empty.
osv.dev/list?q=CVE-202
Only #GitHub advisory seems to be reporting it (CC-BY-4.0 License)
github.com/advisories/GHS
Conversation
Replying to
As the author of #depscan, I really would like to help secure software. However, if a vulnerability is not available in a free datasource such as NVD or OSV there is no realistic chance to do this. I'm sure the same problem would exist for all free users of
2
1
Based on my limited research, only "log4j-core" and not "log4j-api" appears to be vulnerable. So, this advisory would trigger needless updates if the application depends solely on the "log4j-api" package. github.com/advisories/GHS issues.apache.org/jira/browse/LO
