PkgRadar

Maven · repo1.maven.org

co.elastic.apm:apm-agent-attach-cli

Java Jndi Lookup: JNDI / Naming.lookup — remote class-loading primitive (Log4Shell family).

Why PkgRadar flagged 1.56.0

SeveritySignalEvidence
mediumJava Jndi LookupJNDI / Naming.lookup — remote class-loading primitive (Log4Shell family). · org/apache/logging/log4j/core/net/JndiManager.java
mediumJava Dynamic ClassloadURLClassLoader / defineClass — runs attacker-provided bytecode. · META-INF/versions/9/net/bytebuddy/agent/ByteBuddyAgent.java
mediumJava Dynamic ClassloadURLClassLoader / defineClass — runs attacker-provided bytecode. · co/elastic/apm/attach/bytebuddy/agent/ByteBuddyAgent.java
mediumJava Unsafe DeserializeObjectInputStream / XStream.fromXML — untrusted deserialization sink. · org/apache/logging/log4j/util/SortedArrayStringMap.java
mediumJava Process SpawnRuntime.exec / ProcessBuilder — process spawning. · META-INF/versions/9/net/bytebuddy/agent/ByteBuddyAgent.java
mediumJava Process SpawnRuntime.exec / ProcessBuilder — process spawning. · META-INF/versions/9/net/bytebuddy/agent/VirtualMachine.java
mediumJava Process SpawnRuntime.exec / ProcessBuilder — process spawning. · co/elastic/apm/attach/bytebuddy/agent/ByteBuddyAgent.java
mediumJava Process SpawnRuntime.exec / ProcessBuilder — process spawning. · co/elastic/apm/attach/bytebuddy/agent/VirtualMachine.java
mediumJava Process SpawnRuntime.exec / ProcessBuilder — process spawning. · com/sun/jna/NativeLibrary.java
mediumJava Static Init Side EffectStatic-initializer block contains process/network/reflection — runs on first class load (contributory signal). · com/sun/jna/NativeLibrary.java

Scanned versions

VersionVerdictScoreScanned (UTC)
1.56.0Review1522026-06-15

Block this in CI

PkgRadar gates co.elastic.apm:apm-agent-attach-cli (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven co.elastic.apm:[email protected]
Start free — 25 scans / moView full evidence