Our project has dependency on pkg:maven/org.springframework.boot/spring-boot-starter@3.1.2 .

When we upload our build artifacts to Maven central, it reports [CVE-2022-1471] CWE-502: Deserialization of Untrusted Data with pkg:maven/org.springframework.boot/spring-boot-starter@3.1.2 .

This vulnerability is because of pkg:maven/org.yaml/snakeyaml@1.33 which is dependency of pkg:maven/org.springframework.boot/spring-boot-starter@3.1.2 .

  1. Has this issue been addressed ? If yes then which version of spring-boot-starter ?
  2. how pkg:maven/org.springframework.boot/spring-boot-starter@3.1.2 got released to maven central despite this vulnerability ?

Comment From: bclozel

This is a duplicate of https://github.com/spring-projects/spring-boot/issues/33457 which is linked at the top of the issues page.