Spring Boot Toolchain Exposed: Logback 1.4.7 Contains 7 Vulnerabilities, Including High-Severity CVE-2024-12798

A critical security scan has flagged the logback-classic library, version 1.4.7, embedded within the Spring Boot development toolchain, revealing seven distinct vulnerabilities. The most severe is CVE-2024-12798, a high-severity flaw with a CVSS score of 7.3, present in both the direct and transitive dependencies of the project. This exposure sits directly within the build path for `spring-boot-loader-tools`, a core component for packaging and running Spring Boot applications, raising immediate concerns for downstream security.

The vulnerable JAR file, `logback-classic-1.4.7.jar`, is located in the Gradle cache at a specific path within the `spring-boot-project/spring-boot-tools` directory. The finding indicates that the flaw is not only a direct dependency but also propagates through `logback-core-1.4.7.jar`. Notably, the exploit maturity for CVE-2024-12798 is currently listed as 'Not Defined,' and the EPSS score is below 1%, suggesting widespread exploitation is not yet observed but the inherent risk remains high due to the library's prevalence.

This vulnerability cluster places significant pressure on development teams using this specific version of the Spring Boot tooling. The absence of a listed fix version ('N/A') and the marked unavailability of a remediation further complicates the situation, forcing teams to consider manual mitigation or version upgrades. The reachability of these vulnerabilities within a core build tool underscores a systemic software supply chain risk, potentially affecting countless applications built and deployed using this compromised toolchain.