Addressed CVE-2026-33870 and CVE-2026-33871** (HIGH) by upgrading the Spring...

Anna Asryan [EPAM]requested to merge
fix-CVE-2026-33870_CVE-2026-33871 into master

This MR addresses multiple HIGH severity vulnerabilities related to Netty and Jackson, and simplifies dependency management.

Changes

  • Upgraded Spring Boot version to address:

    • CVE-2026-33870 (netty-codec-http)
    • CVE-2026-33871 (netty-codec-http2)

    The upgrade ensures alignment with a safer Netty version (4.1.132.Final) across:

    • io.netty:netty-codec-http
    • io.netty:netty-codec-http2

  • Verified affected artifacts in the built image:

    • app.jar/BOOT-INF/lib/netty-codec-http-4.1.130.Final.jar
    • app.jar/BOOT-INF/lib/netty-codec-http2-4.1.130.Final.jar

  • Removed explicit Jackson BOM override:

    • Spring Boot now provides Jackson 2.21.2, which resolves GHSA-72hv-8253-57qq

Notes

  • According to vulnerability metadata:

    • CVE-2026-33871 fix is available in:

      • 4.1.132.Final
      • 4.2.10.Final

    • CVE-2026-33870 fix is available in:

      • 4.1.132.Final
      • 4.2.10.Final
  • Current version (4.1.132.Final) is brought by Spring Boot

Merge request reports