Spring Cloud Netflix CVE-2016-1000027 detected by vulnerability scanner software in some versions

Hello everyone,

It has been used spring-cloud-netflix-eureka-server:2.2.3.RELEASE in some projects and after execute a vulnerability scanner it mentioned the vulnerability CVE-2016-1000027 under spring-core:5.2.7.RELEASE dependency.

We did our own analysis and It seems not affect directly once it does not make HTTP Invoker endpoints. Hence it looks a false positive by the vulnerability scanner. However, we would like to confirm this information with the spring-cloud-netflix community. :}

Question: By chance, does the vulnerability somehow affect this version? Btw, does the vulnerability affects any other version? I did not found this information.

Thank you in advance.

Additional information

+- org.springframework.cloud:spring-cloud-netflix-eureka-server:2.2.3.RELEASE
  +- org.springframework.boot:spring-boot-starter-web:2.3.0.RELEASE -> 2.3.1.RELEASE
    +- org.springframework.boot:spring-boot-starter-freemarker:2.3.0.RELEASE -> 2.3.1.RELEASE
      +- org.freemarker:freemarker -> 2.3.30
      \- org.springframework:spring-context-support -> 5.2.7.RELEASE
        +- org.springframework:spring-context:5.2.7.RELEASE (*)
        \- org.springframework:spring-core:5.2.7.RELEASE (*)

CVE mentioned: https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Comment From: spencergibb

In practice the spring core version is managed by spring boot and not spring cloud.