As per the instructions provided on https://spring.io/security/cve-2023-20859, Affected spring-cloud-config is 3.1.0 to 3.1.6 and older versions.
So the vulnerability scanner of cloud providers will still detect the presence of a vulnerability if the application depends on spring-cloud-config:3.1.6.
However, 3.1.6 is currently the latest version in the 3.x series, so can a 3.1.7 version be released?
Comment From: m-ibot
I would appreciate a new 3.1.x release as well.
As per the instructions provided on https://spring.io/security/cve-2023-2085, Affected spring-cloud-config is 3.1.0 to 3.1.6 and older versions.
The link is missing one digit at the end. The CVE can be found here: https://spring.io/security/cve-2023-20859
Comment From: izxd
I would appreciate a new 3.1.x release as well.
As per the instructions provided on https://spring.io/security/cve-2023-2085, Affected spring-cloud-config is 3.1.0 to 3.1.6 and older versions.
The link is missing one digit at the end. The CVE can be found here: https://spring.io/security/cve-2023-20859
Thank you very much, the correction has been made.
Comment From: izxd
@royclarkson Hello, I saw that spring vault.version is still 2.3.2 in 3.1.7