CVE-2023-6378

Java Tech Enthusiast

Jan 1, 2025 · Information Security

Fixing Logback CVE-2023-6378 in Spring Boot 2.7.x

To remediate CVE‑2023‑6378 in a Spring Boot 2.7.x application, you must replace the default logging starter with a direct Logback 1.2.x dependency (e.g., 1.2.13), because Spring Boot 2.7 cannot use Logback 1.3.x due to the removed StaticLoggerBinder class; the only other option is to upgrade the whole stack to Spring Boot 3.x, Logback 1.4.x, and JDK 11.