Comment From: chenrujun
I think it's necessary for Spring Boot 2.x in 2.7.x branch to fix CVE-2023-25194.
Comment From: wilkinsona
As described in our policy for managing third-party dependencies, we won't upgrade to a new minor release of a dependency in a maintenance release of Spring Boot.
Additionally, I think this CVE is a false-positive in the context of a Spring Boot application. Its description describes it as a server-side vulnerability:
This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.
Comment From: chenrujun
@wilkinsona I got it. Thank you for your information.
(cc: @stliu, FYI.)
Comment From: sheetalj2205
But this is giving me error of org.springframework.beans.factory.BeanCreationException Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: kafka.utils.TestUtils.boundPort(Lkafka/server/KafkaServer;Lorg/apache/kafka/common/security/auth/SecurityProtocol;)I
I am using gradle version - 6.8.1 spring-boot - 2.7.10 testImplementation "org.springframework.kafka:spring-kafka-test:2.6.5"
Comment From: wilkinsona
@sheetalj2205 This upgrade only applied to Spring Boot 3.1.0-M1. As you are using 2.7.10 you are not affected by it. You should using Spring Kafka 2.8.x not 2.6.x with Spring Boot 2.7.x. You can find all the default versions listed in the documentation.
If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.