The jersey-media-json-jackson1 is affected by CVE-2019-10202 and the patch is already available in jersey-media-json-jackson, since Spring boot has both of these dependencies it's better to remove the vulnerable one so that the Spring boot users don't use them accidentally.
Comment From: bclozel
Spring Boot does not depend on jersey-media-json-jackson1, and already relies on jersey-media-json-jackson only. What makes you think it is?
We do import the jersey-bom which declares the version management for jersey-media-json-jackson1. If you think this dependency should not be managed at all, you'll need to take this with the Jersey team which is in control of that BOM.
Comment From: ManjunathMS35
Thanks for the clarification, created an issue in Jersey to address this.
Comment From: snicoll
Thanks for the follow-up. For those interested, the related issue is https://github.com/eclipse-ee4j/jersey/issues/4397