Is spring cloud netflix affected by rce vulnerability? If so, will a new version be released?
https://github.com/advisories/GHSA-36p3-wjmg-h94x: Spring Framework RCE via Data Binding on JDK 9+ https://tanzu.vmware.com/security/cve-2022-22965
Comment From: weixsun
@yanglinfu SC Eureka's latest release 3.1.1 dependency on the Spring Framework version 5.3.18.
So it is not affected by this vulnerability.
Comment From: yanglinfu
@weixsun I don't think so。The Spring cloud netflix 3.1.1 is released on 2022-02-18, but the Spring framework 5.3.18 is released on 2022-3-21. And the Spring cloud netflix 3.1.1 dependency on the Spring Framework version is 5.3.15。
Comment From: weixsun
And the Spring cloud netflix 3.1.1 dependency on the Spring Framework version is 5.3.15
Perhaps you did see this dependency at one point.However, the real dependent version control is determined by Spring Cloud and Spring Boot. When Spring Boot ver 2.6.6 and Spring Cloud Ver 2021.0.1 You'll get SC Eureka 3.1.1 dependency Sping 5.3.18
Overall, SC Eureka does not require additional version upgrades or other changes.
Comment From: yanglinfu
ok, think you for yuor answer。I analysised the dependency tree. The module spring-beans in srping cloud netflix is Always integrated with spring boot。So if i have a project is not integrated spring boot、 spring cloud 、SC Eureka server, it just as a eureka client integrated spring framworke(5.3.18) for discovery and invoke service from eureka server. I think the vulnerability is not impacted my project.