You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been trying to get an old spring boot project updated to resolve nvd vulnerabilities- the max spring boot version I can go to is 2.7.x due to JDK8 being a constraint.
Thymeleaf 3.0.15 has the above mentioned CVE vulnerability, but moving up to 3.1.x you now require slf4j version 2.0.x which completely screws up the logging in spring boot 2.7.x, which only seems to work with 1.7.x
can a 3.0.16 be produced with whatever mitigation was put into 3.1.2? (presumably 3.1.2 has a mitigation as the CVE seems to indicate 3.1.1 might be the last version to be vulnerable.)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I've been trying to get an old spring boot project updated to resolve nvd vulnerabilities- the max spring boot version I can go to is 2.7.x due to JDK8 being a constraint.
Thymeleaf 3.0.15 has the above mentioned CVE vulnerability, but moving up to 3.1.x you now require slf4j version 2.0.x which completely screws up the logging in spring boot 2.7.x, which only seems to work with 1.7.x
can a 3.0.16 be produced with whatever mitigation was put into 3.1.2? (presumably 3.1.2 has a mitigation as the CVE seems to indicate 3.1.1 might be the last version to be vulnerable.)
details of CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-38286
regards,
Ben
Beta Was this translation helpful? Give feedback.
All reactions