SpringBoot Dependency vulnerability (org.codehaus.jettison)

Not sure if this dependency is managed by Spring Boot or any other Spring dependency.

It uses jettison dependency (org.codehaus.jettison) on 1.4.0 version: https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.4.0

Which has several security vulnerabilities.

It should use latest version 1.5.4 that has no security vulneravbilities: https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.5.4

Thank you.

Comment From: bclozel

We don't manage this dependency in Spring Boot. Maybe check out the dependency tree of your application to figure out how this is brought in your application and report this to the relevant project?

Thanks!

Comment From: trcoelho

Thank, looks like it is a spring-cloud-starter-netflix-eureka-client dependency.

Have opened a bug to be tracked on their side.

https://github.com/spring-cloud/spring-cloud-netflix/issues/4238

Thank you.