Issue
- Vulnerabilities remain unresolved in spring-web and spring-core, even after a fix was applied to spring-context.
-
For spring-web:
Vulnerable component: org.springframework:spring-web:5.3.39
-
For spring-core:
Vulnerable component: org.springframework:spring-core:5.3.39
Environment
- PaaS
Resolution
- Working on the CVE, the root cause of the issue appears to be in spring-context and patching a fix on this.
- We do not need to patch or upgrade spring-web and spring-core directly. These vulnerabilities are exposed due to their dependency on spring-context. We've addressed the underlying issue in spring-context, and as long as this is fixed, spring-web and spring-core should be secure.
- we only need to patch spring-context for this CVE. spring-web and spring-core can remain unchanged, even though they may still appear in scans, they will be safe.