Is Continuous Delivery Director affected by the security vulnerability CVE-2016-1000027 ?
A security scan has identified this critical vulnerability in org.springframework:spring-web:5.3.39 package of cdd.war 8.7.0

Continuous Delivery Director 8.7.0

Black Duck security scanning was executed on Continous Delivery Director 8.7.
Black Duck identified that CDD includes the spring-web-5.3.39 package. The vulnerability CVE-2016-1000027 was flagged but marked as “Ignored,” with a note indicating that the Black Duck Security Advisory team has confirmed this version is not affected.

According to their analysis, only versions 3.0.0 to 3.2.16 and 4.0.0 to 4.2.5 fall within the impacted range. Since spring-web-5.3.39 is outside of that scope, the vulnerability does not apply to CDD.

Further details could be found in the following article from Black Duck: CYRC Vulnerability of the Month – Spring Framework