Spring-boot-starter-parent version 2.7.17 is pulling in the com.rabbitmq:amqp-client version 5.14.3, as direct dependency. This amqp-client version is flagged by CVE-2023-46120.
Spring-boot-starter-parent version 2.7.17 is pulling in the io.dropwizard.metrics:metrics-graphite version 4.2.21, which has com.rabbitmq:amqp-client transitive dependency version 5.19.0, This amqp-client version, pulled in by metrics-graphite, would fix the CVE-2023-46120.
Since, spring-boot-starter-parent is pulling in amqp-client directly, that version is overriding any more recent one, resulting in this dependency tree:
[INFO] | +- io.micrometer:micrometer-registry-graphite:jar:1.9.16:compile
[INFO] | | \- io.dropwizard.metrics:metrics-graphite:jar:4.2.21:compile
[INFO] | | \- com.rabbitmq:amqp-client:jar:5.14.3:compile
Since we can't exclude dependencies from the spring-boot-starter-parent, would it maybe be possible to get a more recent amqp-client version in the next spring-boot-starter-parent uplift, please?
We have a workaround in place to enforce the most recent amqp-client version in our project, but it adds unnecessary complexity/maintenance to the pom files.
Note: Spring-boot-starter parent also has a transitive dependency of amqp-client (which version would also fix the CVE) and metrics-graphite, through the micrometer-bom direct dependency: spring-boot-starter-parent 2.7.17: ->io.micrometer » micrometer-bom 1.9.16 --->o.micrometer » micrometer-registry-graphite 1.9.16 ----->io.dropwizard.metrics » metrics-graphite 4.2.20 ------->com.rabbitmq » amqp-client 5.18.0
Comment From: philwebb
Following our third-party upgrade policy we cannot upgrade amqp-client to5.19.0 in a Spring Boot 2.7 patch release. Spring Boot 3.2 will ship with amqp-client 5.19.0 or you can override the dependency in your own build.