Have opened this one at spring-boot project (https://github.com/spring-projects/spring-boot/issues/38769), however this dependency is not managed by them.
spring-cloud-starter-netflix-eureka-client uses jettison dependency (org.codehaus.jettison) on 1.4.0 version: https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.4.0
Which has several security vulnerabilities.
It should use latest version 1.5.4 that has no security vulnerabilities: https://mvnrepository.com/artifact/org.codehaus.jettison/jettison/1.5.4
Thank you.
Comment From: OlgaMaciaszek
Hello @trcoelho. Thanks for reporting it. The dependency comes from an external project. I have create it a PR: https://github.com/Netflix/eureka/pull/1530.
Comment From: mmerali96
Hey @OlgaMaciaszek, I see the eureka core team merged a fix on their end. What is the process for getting this change into spring-cloud-starter-netflix-eureka-client? I am also waiting on this to fix some CVEs in our application, and if there is something to contribute to get it done, I am happy to help.
Thank you!!
Comment From: OlgaMaciaszek
We need to wait for them to release the new version (hopefully, next week). If there's any other issue you see, feel free to create a pull request.