As mentioned here (https://nvd.nist.gov/vuln/detail/CVE-2022-0265) Hazelcast prior to version 5.1 contained a vulnerability: it did not set the correct properties to protect users from malicious XML input. This could result in XML external entity (XXE) attacks, which could disclose confidential data or cause a server side request forgery (SSRF). The mitigation step is to upgrade hazelcast dependency version to 5.1 in Spring Boot. Requesting you to clarify if this dependency will be updated in next Spring Boot releases
Comment From: wilkinsona
It looks as if the CVE may be inaccurate. According to @kwart, only 5.1 is vulnerable:
Even the class is not new, the only affected version seems to be the enterprise version of the latest beta (5.1-BETA-1). I didn't find a valid call path (other than ones from tests) in previous releases.
Regardless, we will upgrade to 5.1 in Spring Boot 2.7. We won't upgrade in earlier versions of Spring Boot as we cannot move to a new major or minor of a dependency in a maintenance release. If earlier versions of Hazelcast are, in fact, vulnerable, you can try using hazelcast.version to override Spring Boot's default Hazelcast version until a fix is available in earlier versions of Hazelcast.