Spring Cloud Config Dependent component spring-beans is affected by the Spring Framework vulnerability CVE-2010-1622

The form binding problem in spring-framework is actually a bypass of the CVE-2010-1622 vulnerability in the JDK of a later version. In JDK 9 and later versions, the new module attribute can be exploited to bypass the fixing logic of the CVE-2010-1622 vulnerability.

When and version to be upgraded and repaired?

Comment From: ryanjbaxter

See https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now