...
Guava (any) (CVE-2020-8908)
We don't use the affected, deprecated function, and there is no fix for the issue.
Ant (1.10.10) (CVE-2021-36373, CVE-2021-36374)
Ant is only used during installations, but downloaded packages should always be verified via GPG signature. Plugin installation automatically verifies signatures unless forcibly overridden. We will update the dependency at the next patch opportunity.
Commons Compress (1.20) (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
See Ant note.
log4j-over-slf4j (1.7.30) (CVE-2020-9488)
Issue affects non-default SMTP logging functionality. We will update the dependency at the next patch opportunity if feasible (the logging stack has a lot of interdependencies).
xmlsec (2.1.6) (CVE-2021-40690)
We don’t use the code involved in the vulnerability. We will update the dependency at the next patch opportunity.
Spring 5.3.x (CVE-2021-22096)
Spring’s description of the log injection issue is very vague but it appears to us to be very unlikely that it could ever be fully fixed by them (as opposed to some kind of mitigation within the logging library itself), so we don’t believe that whatever mitigations they’ve added are going to help a lot. We have thousands of logging statements that log all sorts of data, and we believe they are certainly vulnerable to manipulation in certain cases. The only alternative is not to log anything. The takeaway is “treat logs with a grain of salt”. We plan to update Spring in the next release to address the CVE.