gradle plugin and its dependencies

I want to understand how my local cache(.gradle/caches/modules-2/files-2) gets built. I wiped my local cache, have one java project with the build file where i don't declare any dependencies. I only declared one plugin 'java', run build and my cache filled with bunch of libraries where i see log4j v1.2.12 and guava v17 that are known for the vulnerabilities. I upgraded my gradle and gradle wrapper to 6.5 version, deleted my cache and ran ./gradlew build --refresh-dependencies same log4j and guava same versions got loaded again. My understanding is that local cache gets dependencies loaded from gradle plugins declared in the build file. Is it possible to control this kind of dependencies in terms of what version is used?