Upgrade to Tomcat 10.1.44.
Comment From: paranjayBhanot
Hi @snicoll , Even though it is mentioned that tomcat is upgraded to 10.1.44 in Springboot 3.5.5. Surprisingly, we are still getting vulnerabilities for tomcat version 10.1.36. This is one of the vulnerabilities reported by Blackduck Direct: Apache Tomcat 10.1.36 (CVE-2024-38286|BDSA-2024-6864)
Would it be possible to look into this?
Comment From: wilkinsona
Not on our side as false positives from Blackduck are out of our control. You should raise it with them.
Comment From: bclozel
@paranjayBhanot this looks like a dependency management issue in your application build, maybe you are overriding the version somewhere. You can check dependency versions with Maven or Gradle.
This could also be an issue with the Blackduck tool itself since the CVE mentioned here should be fixed in Tomcat 10.1.25, so that does not fit with your issue description.
Comment From: paranjayBhanot
Thanks @wilkinsona and @bclozel, so I checked there are neither any transitive dependencies nor it is explicitly overridden. Let me raise this with Blackduck team. Again thanks for the support.
Comment From: ingoban
@snicoll What was the reason to downgrade the tomcat version to 10.1.44 in this? In spring boot 3.4.10, the tomcat version is Tomcat 10.1.46.