We are using Atlassian SDK to develop a Custom Jira Plugin in which we are also using atlassian-spring-scanner-annotation dependency. After building the Jira Plugin, we have noticed that the following spring related dependencies are getting packaged with the Plugin:
- spring-dao-2.0.6.jar
- spring-jdbc-2.0.6.jar
- spring-web-5.2.15.RELEASE.jar
- spring-security-core-5.4.5.jar
- spring-context-5.1.18.RELEASE.jar
- spring-aop-5.1.18.RELEASE.jar
- spring-expression-5.1.18.RELEASE.jar
- spring-core-5.1.18.RELEASE.jar
- spring-jcl-5.1.18.RELEASE.jar
- spring-beans-5.1.18.RELEASE.jar
- spring-ldap-core-2.3.2.RELEASE.jar
- spring-tx-5.1.18.RELEASE.jar
Can anyone please clarify if these Spring related dependencies are vulnerable to Spring CVEs (CVE-2022-22963, CVE-2022-22965)?If vulnerable, is there any possible workaround to fix it?
Thanks & Regards,
Preethi H R