As per maven repository
Vulnerabilities from dependencies: CVE-2023-25194 CVE-2022-45868 CVE-2022-4492 CVE-2022-41854 CVE-2022-41853 CVE-2022-38752 CVE-2022-38751 CVE-2022-38750 CVE-2022-38749 CVE-2022-35278 CVE-2022-25857 CVE-2022-1471
Link : https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/2.7.9
Screenshot
Comment From: wilkinsona
Unfortunately, in our experience automated security scans are of limited value as they generate an overwhelming number of false positives. Most importantly in this case, spring-boot-dependencies does not have any dependencies. It only provides dependency management, controlling the versions of dependencies that you have added to your application. As such, unless you have added a dependency that's referenced in one of the CVEs, your application cannot be at risk.
Beyond this, the security scanning is a really blunt instrument and without further analysis of its findings in the context of your application, the output is of little use. Let's look at a few of the CVEs reported with this in mind:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194. As I understand it, this is a server-side Kafka vulnerability. Kafka clients are not affected. See https://github.com/spring-projects/spring-boot/issues/34284#issuecomment-1457889345 for some existing discussion.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194. This only applies if you've started the H2 console on the command line using the
-webAdminPasswordoption. Spring Boot will never do that. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4492. There's very little information in this CVE but it appears to be a problem that's specific to Undertow's HTTP client which Spring Boot does not use.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854. This vulnerability only applies if you're passing untrusted input to SnakeYAML. Spring Boot does not do this. See https://github.com/spring-projects/spring-boot/issues/32221 for further details.
Having looked at the first 4 CVEs, we have a 100% false-positive rate and there's nothing we can do in Spring Boot to address them. Automated scanning tools generate so many false positives that we simply don't have time to document them and explain why they are false positives or how and when a particular application may be vulnerable. The latter requires knowledge of the application which we simply don't have.
Please rest assured that we do take security seriously. We regularly update our dependencies on other Spring projects and third-party libraries to keep up-to-date. Vulnerabilities in Spring projects are listed on the Spring Security Advisories page which I would encourage you to keep an eye on. On the rare occasion where there has been a vulnerability found in a Spring project, we coordinate with that project to update Spring Boot as soon as a release that addresses the vulnerability is available. Typically the release announcement (on https://spring.io/blog) will mention when a release addresses a vulnerability.