Vulnerability:
tomcat-embed-core-9.0.41.jar (pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.41, cpe:2.3:a:apache:tomcat:9.0.41:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:9.0.41:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.41:*:*:*:*:*:*:*) : CVE-2020-9484, CVE-2021-25122, CVE-2021-25329
Dependency tree:
+- org.springframework.boot:spring-boot-starter-web:jar:2.5.1:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.3.8.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.41:compile
Comment From: snicoll
@kellymoore Spring Boot Starter Web 2.5.1 should bring Spring Boot Starter Tomcat 2.5.1, not 2.3.8.RELEASE. Can you please double check your build to validate this dependency is not overridden? Spring Boot 2.5.1 uses 9.0.46 already
Comment From: kellymoore
@snicoll apologies it was overridden by spring-boot-parent