@Gianluca Gabrielli

> This is the same case of CVE-2021-4104, and a CVE has been assigned to it.

It is indeed the same case. But our alliance leads at Snyk have reached out to try and discuss our doubts about this with the Red Hat security team. It’s why I suggested hold on the publication of CVE temporary. 

> ...at least if this is not documented.

Actually I believe it is documented. The initial "exploit" https://github.com/cn-panda/logbackRceDemo demonstrates how JNDIConnectionSource can be used to achieve RCE.

From the documentation http://logback.qos.ch/apidocs/ch/qos/logback/core/db/JNDIConnectionSource.html

> The JNDIConnectionSource is an implementation of ConnectionSource that obtains a DataSource from a JNDI provider and uses it to obtain a Connection.

Which basically means JNDIConnectionSource is meant to download (and run) DataSource class via JNDI.