Security issues in transitive dependency of xmlunit-core-2.9.1.jar

[obaSAP]

Hello,

We've found the following security issue in the transitive dependency of xmlunit-core-2.9.1.jar (SPRING-CLOUD-DATAFLOW 2.11.3)
https://www.mend.io/vulnerability-database/CVE-2024-31573
Would appreciate your kind assistance with fixing the issue.

Thanks & BR,
Omri.

[onobc]

Hi @obaSAP ,

Thanks for the speedy report. You know how these CVEs are... the moment you release the bits, there is already another CVE to deal with. :)

That being said, this is a medium severity vulnerability and as such will be handled naturally in the next release which is scheduled for September 2024.

Our policy is to expedite the release only when it is a HIGH or CRITICAL.

[corneil]

@obaSAP The spring-boot-starter-test dependency was incorrectly defined without a scope in spring-cloud-dataflow-aggregate-task. This has been rectified in 2.11.4-SNAPSHOT. The code is not reachable by the application in normal operation.