{"package":"org.apache.logging.log4j:log4j-core","ecosystem":"maven","latest_version":"3.0.0-beta3","description":"The Apache Log4j Implementation","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://logging.apache.org/log4j/3.x/","repository":"","downloads_weekly":0,"health":{"score":45,"risk":"high","breakdown":{"maintenance":5,"popularity":0,"security":25,"maturity":15,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":0,"critical":0,"high":0,"medium":0,"low":0,"details":[]},"versions":{"latest":"3.0.0-beta3","total_count":75,"recent":["2.25.4","2.25.3","2.25.2","2.25.1","2.25.0","2.24.3","2.24.2","3.0.0-beta3","2.24.1","2.24.0","2.23.1","3.0.0-beta2","2.23.0","2.22.1","3.0.0-beta1","2.22.0","2.21.1","2.21.0","3.0.0-alpha1","2.20.0"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2024-11-09T05:54:30+00:00","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":{"count":2,"matches_current_version":false,"incidents":[{"affected_versions":">=2.0-beta9,<2.17.0","incident_type":"critical_rce","year":2021,"summary":"Log4Shell — CVE-2021-44228. Remote code execution via JNDI lookups in log message strings. Affected log4j-core versions 2.0-beta9 through 2.14.1, with CVE-2021-45046 affecting up to 2.16.0. Fix: upgrade to 2.17.0+ (or 2.17.1 for full mitigation including CVE-2021-45105).","refs":["CVE-2021-44228 | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 | https://logging.apache.org/log4j/2.x/security.html"],"matches_current_version":false},{"affected_versions":">=2.15.0,<2.17.0","incident_type":"critical_rce","year":2021,"summary":"CVE-2021-45046. Incomplete fix for Log4Shell; allows RCE via Thread Context Map lookup pattern. Fix: 2.17.0 or later.","refs":["CVE-2021-45046 | https://nvd.nist.gov/vuln/detail/CVE-2021-45046"],"matches_current_version":false}]},"recommendation":{"action":"safe_to_use","issues":[],"use_version":"3.0.0-beta3","version_hint":null,"summary":"org.apache.logging.log4j:log4j-core@3.0.0-beta3 is safe to use (health: 45/100)","alternatives":[{"name":"org.slf4j:slf4j-api","reason":"prefer programming against slf4j-api and binding any logger backend","builtin":false},{"name":"ch.qos.logback:logback-classic","reason":"post-log4shell many projects moved to slf4j + logback default","builtin":false}]},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":727,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"alternatives_link":{"url":"/api/alternatives/maven/org.apache.logging.log4j:log4j-core","count":2},"co_used_with":[{"package":"gulplog","occurrences":7},{"package":"Microsoft.IO.RecyclableMemoryStream","occurrences":2}],"version_history_summary":{"total_versions":20,"first_release_age_days":5024,"last_release_days_ago":539,"avg_days_between_releases":264,"release_velocity":"stale"}}