This issue has been created
There are 2 updates.
 
 
JIRA Components / cid:jira-generated-image-avatar-7ce77eb2-cfbd-477f-b0a0-f4c446f1e08c JIRA-91 Open

The jira macro install the vulnerable dependency spring-core 5.3.25
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-9123a09b-0f1d-436d-bfc1-2a6005820d76 Thomas Mortagne created this issue on 28/Oct/25 16:31
 
Summary: The jira macro install a vulnerable dependency
Issue Type: cid:jira-generated-image-avatar-7ce77eb2-cfbd-477f-b0a0-f4c446f1e08c Bug
Affects Versions: 11.1.0
Assignee: Unassigned
Components: Dependency upgrade
Created: 28/Oct/25 16:31
Priority: cid:jira-generated-image-static-blocker-9b13d778-b39e-4e35-b890-05157370d3f5 Blocker
Reporter: Thomas Mortagne
Description:

spring-core 5.3.25 dependency is attached to a CVE. See https://spring.io/security/cve-2025-41249 for the CVE.

No fixed version is available publicly for 5.3.45 (public versions stop at 5.3.39) so it will probably require an upgrade of the jira REST API (which seems to be lacking pretty far behind anyway so it would not be a bad idea anyway).
 
 

2 updates

 
cid:jira-generated-image-avatar-9123a09b-0f1d-436d-bfc1-2a6005820d76 Changes by Thomas Mortagne on 28/Oct/25 16:32
 
Summary: The jira macro install a the vulnerable dependency spring-core 5.3.25
Description: spring-core 5.3.25 dependency is attached to a CVE. See https://spring.io/security/cve-2025-41249 for the CVE.

No fixed version is available publicly for 5.3.45 (public versions stop at 5.3.39) so and the first available public version which is fixed is 6.2.11. So it will probably require an upgrade of the jira REST API (which seems to be lacking pretty far behind anyway , so it would not be a bad idea anyway).
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.