In Spring Boot 2.5.10, spring-boot-starter-json depends on jackson-databind version 2.12.6. Dependency-Check 7.0.0 will flag this with a high CVSS score - CVE-2020-36518.
Related issue: https://github.com/FasterXML/jackson-databind/issues/2816
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.0:check (default) on project jackson-demo:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] jackson-databind-2.12.6.jar: CVE-2020-36518(7.5)
This issue does not affect Spring Boot 2.6.4 and I do understand that it is advisable to upgrade ASAP to that version. But since the 2.5.x branch is still supported, I wanted to raises this issue for completeness.
Demo project to reproduce the issue: https://github.com/ghillert/boot-jackson-cve/tree/main
Comment From: wilkinsona
We won’t upgrade to a new minor version of a dependency in a maintenance release of Spring Boot. You can either upgrade to Spring Boot 2.6.x or stick with 2.5.x and use the jackson.version property to opt in to the upgrade.
Comment From: alexsheppard11
2.12.6.1 has been released to fix this CVE https://github.com/FasterXML/jackson-databind/issues/2816#issuecomment-1079824029 . Will you consider a patch release of 2.5.x now?
Comment From: snicoll
@alexsheppard11 there is no need to ask. As mentioned on several occasions, we have a semi-automated upgrade process that will upgrade dependencies to whatever match our 3rd party upgrade policy. And there is no need to wait for us releasing as you can use the jackson.version as described above already.