Current versions of tomcat-embed-core and jackson-dataformat-cbor have known CVE vulnerabilities. This change addresses the issue by upgrading to the higher minor versions, which don't have any vulnerability.
Below are the listed vulnerabilities for the library versions
tomcat-embed-core-9.0.37.jar : CVE-2021-25122, CVE-2021-24122, CVE-2021-25329
jackson-dataformat-cbor-2.11.3.jar : CVE-2020-28491
We plan to create a release candidate with this change and use it in services to resolve the same issue there too.
The vulnerabilities were flagged in SLB's internal Whitesource scan