Spring CVE-2022-25857 - Upgrade org.yaml:snakeyaml to version >=1.31

Affects: spring version <=v5.3.22

---

CVE-2022-25857 | high | 7.50 | org.yaml_snakeyaml | v1.30 | fixed in v1.31

+--- org.springframework.boot:spring-boot-starter-web -> 2.7.3
|    +--- org.springframework.boot:spring-boot-starter:2.7.3
|    |    +--- org.springframework.boot:spring-boot:2.7.3
|    |    |    +--- org.springframework:spring-core:5.3.22
|    |    |    |    \--- org.springframework:spring-jcl:5.3.22
|    |    |    \--- org.springframework:spring-context:5.3.22
|    |    |         +--- org.springframework:spring-aop:5.3.22
|    |    |         |    +--- org.springframework:spring-beans:5.3.22
|    |    |         |    |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         +--- org.springframework:spring-beans:5.3.22 (*)
|    |    |         +--- org.springframework:spring-core:5.3.22 (*)
|    |    |         \--- org.springframework:spring-expression:5.3.22
|    |    |              \--- org.springframework:spring-core:5.3.22 (*)
|    |    +--- org.springframework.boot:spring-boot-autoconfigure:2.7.3
|    |    |    \--- org.springframework.boot:spring-boot:2.7.3 (*)
|    |    +--- jakarta.annotation:jakarta.annotation-api:1.3.5
|    |    +--- org.springframework:spring-core:5.3.22 (*)
|    |    \--- org.yaml:snakeyaml:1.30

Comment From: bclozel

Thanks but Spring Framework doesn't expose a dependency to SnakeYaml in the published POMs, we're merely compiling against it for our support. We'll upgrade our optional dependencies as we see fit.

Comment From: shambhand

Thanks! Its mention on https://github.com/spring-projects/spring-boot/issues/32221 My bad! I did not check it on spring-boot repository