SpringBoot Is 2.6.x affected by CVE-2024-38807?

https://spring.io/security/cve-2024-38807

https://spring.io/projects/spring-boot#support

The 2.6.x version has reached EOS in 2024-02-14. Is this why 2.6.x is not disclosed (2.6.x actually affected)?

Comment From: wilkinsona

2.6.x is no longer supported, either in OSS or commercially so we have not analysed whether or not it is vulnerable to CVE-2024-38807 and cannot say with certainty whether 2.6.x is or is not affected. However, it is likely that it is. If you have custom code that performs signature verification of nested jar files you should assume that you are vulnerable until you have proven otherwise.