Description

We have a vulnerability in our applications, specifically CVE-2023-41080, that affects the version of Apache Tomcat currently used in Spring Boot 2.7.x. Updating the Apache Tomcat dependency in Spring Boot to at least version 9.0.80 will mitigate this vulnerability.

More Informations: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Comment From: mhalbritter

Hello,

There is no need to ask for a dependency upgrade.

As mentioned in our issue template:

You DO NOT need to raise an issue for a managed dependency version upgrade as there's a semi-automatic process for checking managed dependencies for new versions before a release.

We will perform upgrades matching our 3rd party upgrade policy. If this is an urgent matter for you, there is no need to wait for us releasing as you can use a Gradle or Maven build property to override the library version. All version properties are listed in the reference documentation appendix.