[reload4j] SQL injection problem in JDBCAppender
Ceki Gülcü
ceki at qos.ch
Wed Jan 19 09:38:04 CET 2022
Hi All,
JDBCAppender uses simple strings instead of java.sql.Statement to talk
to the database. This creates a vulnerability point for SQL injection
attacks.
Fixing this vulnerability in JDBCAppender (a rarely used component) in a
backward compatible way would be a lot of work for very little or no
benefit.
S such, I propose to remove JDBCAppender from reload4j with no replacement.
Any objections?
--
Ceki Gülcü
Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
More information about the reload4j
mailing list