Skip to content

4.0.0-M3 is using logback-core 1.5.18 (with a CVE) #4060

New issue
New issue
Closed as not planned
Closed as not planned
4.0.0-M3 is using logback-core 1.5.18 (with a CVE)#4060
Labels
for: external-projectFor an external project and not something we can fix
@fleboulch

Description

@fleboulch
fleboulch
opened on Oct 27, 2025

From spring boot 3.5.7

[INFO] \- org.springframework.boot:spring-boot-starter-data-jpa:jar:3.5.7:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:3.5.7:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:3.5.7:compile
[INFO]          \- ch.qos.logback:logback-classic:jar:1.5.20:compile
[INFO]             \- ch.qos.logback:logback-core:jar:1.5.20:compile

To SB 4.0.0-M3

[INFO] \- org.springframework.boot:spring-boot-starter-data-jpa:jar:4.0.0-M3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:4.0.0-M3:compile
[INFO]       \- org.springframework.boot:spring-boot-starter-logging:jar:4.0.0-M3:compile
[INFO]          \- ch.qos.logback:logback-classic:jar:1.5.18:compile
[INFO]             \- ch.qos.logback:logback-core:jar:1.5.18:compile

There is a downgrade on the logback dependency (from 1.5.20 to 1.5.18) which contains a CVE

Metadata

Metadata

Assignees

No one assigned

    Labels

    for: external-projectFor an external project and not something we can fix

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions