SpringBoot Upgrade to jakarta.el 3.0.3.jbossorg-2

The library starter spring-boot-starter-validation (amongst others) pulls in jakarta.el version 3.0.3 at a minimum. This has been linked to an open security issue (below) and as such, the version used should be updated to 3.0.3.jbossorg-1 at a minimum.

Spring Boot Starter: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-validation/2.4.4 Vulnerable Library: https://mvnrepository.com/artifact/org.glassfish/jakarta.el/3.0.3 Recommended Library: https://mvnrepository.com/artifact/org.glassfish/jakarta.el/3.0.3.jbossorg-2 Vulnerability: https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/

Comment From: wilkinsona

Thanks for the suggestion, but 3.0.3.jbossorg-2 is only available from the JBoss EA repository and we only consume third-party dependencies from Maven Central. We'll pick up the next official 3.0.x release as part of our semi-automated dependency upgrade process. In the meantime, if you are concerned about the vulnerability, you can add https://repository.jboss.org/nexus/content/repositories/ea/ to your build's repositories and override the dependency version.

Comment From: atwupack

@wilkinsona The new version 3.0.4 containing the fix for CVE-2021-28170 is now available. https://mvnrepository.com/artifact/org.glassfish/jakarta.el/3.0.4 https://github.com/eclipse-ee4j/el-ri/commits/3.0.4-impl