Current Behavior

While version 5.0.1 fixed a lot of CVEs, there is now one major CVE left on Spring framework 5.3 which is probably non-trivial to fix.

• CVE-2016-1000027

It appears that there will not be a 5.3.x release addressing the issue.

Upgrading to Springboot 3 (see also #5063) will fix partially fix this because Springboot 3 uses Spring 6, but we may also need to upgrade the (non-springboot) spring dependencies of the workbench.

Expected Behavior

Upgrading to a newer release of zookeeper fix the reported CVE for zookeeper dependency

Steps To Reproduce

No response

Version

5.0.1

Are you interested in contributing a solution yourself?

Perhaps?

Anything else?

See also spring-projects/spring-framework#24434

Upgrading may not be strictly necessary, since one of the comments state

Having said that it can be used as a reminder to check that there are no HTTP Invoker endpoints exposed to untrusted clients. If there are none, then nothing further to do.

(but automated scanners will still report this as a serious issue)