At Snyk we are currently investigating the validity of these kinds of issues as a CVE. I would advise not to issue those at the moment. Speaking personally it doesn’t seems like a vulnerability because malicious actor has to have write access to configuration to exploit it.

Precisely. Now, given logback.xml write access permission can escalate to an RCE, it is best to harden logback to eliminate this potential venue of attack altogether.

Consequently, I have already asked the Swiss National Cybersercurity Center to assign this issue a CVE. I am waiting for their reply.