As per pivotal documentation (https://tanzu.vmware.com/security/cve-2018-1270), the critical vulnerability CVE-2018-1270 is fixed in Spring versions 5.0.5 and latest. But still getting this vulnerability in Spring version 5.2.3 .
Comment From: bclozel
What do you mean by:
But still getting this vulnerability in Spring version 5.2.3
I don’t think the CVE announcement says that 5.2.3 is vulnerable to that. What makes you think it is still vulnerable?
Comment From: dipindas
@bclozel Jenkins dependency-check lists spring-kafka as a vulnerability (CVE-2018-1270) in springboot application with Spring 5.2.3 version.
Comment From: bclozel
Please report this problem against that project. It doesn't seem we're publishing incorrect information regarding this CVE. It seems that GitHub is providing the correct information here: CVE-2018-1270.
I'm closing this issue as a result. Please reopen this issue if you believe something needs to be addressed by the Spring team.
Thanks!