New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spring-boot-dependencies 2.7.9 has multiple Vulnerabilities #34561
Comments
Unfortunately, in our experience automated security scans are of limited value as they generate an overwhelming number of false positives. Most importantly in this case, Beyond this, the security scanning is a really blunt instrument and without further analysis of its findings in the context of your application, the output is of little use. Let's look at a few of the CVEs reported with this in mind:
Having looked at the first 4 CVEs, we have a 100% false-positive rate and there's nothing we can do in Spring Boot to address them. Automated scanning tools generate so many false positives that we simply don't have time to document them and explain why they are false positives or how and when a particular application may be vulnerable. The latter requires knowledge of the application which we simply don't have. Please rest assured that we do take security seriously. We regularly update our dependencies on other Spring projects and third-party libraries to keep up-to-date. Vulnerabilities in Spring projects are listed on the Spring Security Advisories page which I would encourage you to keep an eye on. On the rare occasion where there has been a vulnerability found in a Spring project, we coordinate with that project to update Spring Boot as soon as a release that addresses the vulnerability is available. Typically the release announcement (on https://spring.io/blog) will mention when a release addresses a vulnerability. |
As per maven repository
Vulnerabilities from dependencies:
CVE-2023-25194
CVE-2022-45868
CVE-2022-4492
CVE-2022-41854
CVE-2022-41853
CVE-2022-38752
CVE-2022-38751
CVE-2022-38750
CVE-2022-38749
CVE-2022-35278
CVE-2022-25857
CVE-2022-1471
Link : https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/2.7.9
Screenshot
The text was updated successfully, but these errors were encountered: