Is the system affected by CVE-2022-2296 if it only uses spring-plugin-core from the mentioned impacted list?
Configuration
- java 8
- Spring boot : 2.2.6.RELEASE
- Packaged as executable JAR
- spring-plugin-core : 1.2.0.RELEASE
CodePudding user response:
a quick search for Spring Boot 2.2.6.RELEASE shows the maven repository with all vulnerabilities listed: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot/2.2.6.RELEASE