Fixed CVEs for Spring Security, Netty and Tomcat by update Spring Boot...
Type of change
- Bug Fix
- Feature
Please provide link to gitlab issue or ADR(Architecture Decision Record)
Does this introduce a change in the core logic?
- [NO]
Does this introduce a change in the cloud provider implementation, if so which cloud?
- AWS
- Azure
- Google Cloud
- IBM
Does this introduce a breaking change?
- [NO]
Any other useful information
Fixed CVEs for Spring Security, Netty and Tomcat by update Sping Boot Version. Removed Jackson, Netty BOMs from some places, since Sping BOOT will provide the safe version for the module(s).
High level design:
Issue:
This MR addresses multiple HIGH severity vulnerabilities related to Netty and Jackson, and simplifies dependency management.
Change details:
-
Upgraded Spring Boot version to address high and critical CVEs:
-
CVE-2026-33870 (netty-codec-http) ->
app.jar/BOOT-INF/lib/netty-codec-http-4.1.130.Final.jar -
CVE-2026-33871 (netty-codec-http2) ->
app.jar/BOOT-INF/lib/netty-codec-http2-4.1.130.Final.jar -
CVE-2026-22732 (security:spring-security-web) ->
app.jar/BOOT-INF/lib/spring-security-web-6.5.7.jar -
CVE-2026-24734 (tomcat) ->
app.jar/BOOT-INF/lib/tomcat-embed-core-10.1.50.jar -
CVE-2021-0341 (com.squareup.okhttp3:okhttp) ->
app.jar/BOOT-INF/lib/okhttp-3.14.9.jar
The upgrade ensures alignment with a safer Netty version (
4.1.132.Final) , Jackson (2.21.2), Tomcat (10.1.53) -
CVE-2026-33870 (netty-codec-http) ->
-
Removed explicit Jackson BOM, Netty BOM override, since Spring Boot provides safe versions
Notes
- According to vulnerability metadata:
-
CVE-2021-0341 fix is available in:
4.9.2
-
CVE-2026-33871 fix is available in:
4.1.132.Final4.2.10.Final
-
CVE-2026-33870 fix is available in:
4.1.132.Final4.2.10.Final
-
CVE-2026-22732 fix is available in:
6.5.97.0.4
-
CVE-2026-24734 fix is available in:
11.0.1810.1.52 +
-