Logback had a log4j2-like vulnerability, though by not allowing recursive parameter substitution it seems exploitable only of you can modify the logging configuration.
PSA: I got alerted by the nightly build for some projects failing, thanks to the maven plugin org.owasp:dependency-check-maven that checks your dependency tree for CVEs. I had just added it after the log4j2 mess, seems like it was a good idea! Can't believe I went years without such a safeguard.
PSA: I got alerted by the nightly build for some projects failing, thanks to the maven plugin org.owasp:dependency-check-maven that checks your dependency tree for CVEs. I had just added it after the log4j2 mess, seems like it was a good idea! Can't believe I went years without such a safeguard.