Logback had a log4j2-like vulnerability, though by not allowing recursive parameter substitution it seems exploitable only of you can modify the logging configuration.
PSA: I got alerted by the nightly build for some projects failing, thanks to the maven plugin org.owasp:dependency-check-maven that checks your dependency tree for CVEs. I had just added it after the log4j2 mess, seems like it was a good idea! Can't believe I went years without such a safeguard.
1 comment
[ 2.7 ms ] story [ 13.4 ms ] threadPSA: I got alerted by the nightly build for some projects failing, thanks to the maven plugin org.owasp:dependency-check-maven that checks your dependency tree for CVEs. I had just added it after the log4j2 mess, seems like it was a good idea! Can't believe I went years without such a safeguard.