Blackduck scans of the EM have revealed several vulnerabilities in open source components
* Spring 5.3.x: CVE-2023-20860 / BDSA-2023-0649 severity 7.9, fixed in 5.3.26
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25
using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
* Spring 5.3.x: CVE-2023-20861 / BDSA-2023-0638 severity 5.7, fixed in 5.3.26
Spring Framework is vulnerable to denial-of-service (DoS) via specially crafted SpEL expressions.
* Apache Tomcat 8.5.x: CVE-2023-28708 severity 4.6
* Apache Commons FileUpload: CVE-2023-24998 severity 6.5
* json-smart: CVE-2023-1370 severity 6.7
Scanned EM version: 10.8.1.6
Release : 10.7.x, 10.8.0
Vulnerability defect DE562295
To be fixed in 10.8 SP1