It seems this morning that Docker Scout has been flagging CVE-2011-2730 & CVE-2010-1622 against Spring Core 7, specifically 7.0.6
This would appear to be a false positive.
CVE-2011-2730
Spring EL/JSP tag vulnerability in very old Spring 2.5/3.0 lines. Scout attached it to spring-core@7.0.6, but the advisory's affected range is <= 2.5.7.SR022, and the issue is about Spring JSP taglibs, not modern spring-core.
CVE-2010-1622
Spring data-binding RCE in Spring 2.5.x / 3.0.x before fixed releases. Scout again attached it to spring-core@7.0.6 even though the reported affected range is <= 2.5.6.SEC01 / 3.0.3.RELEASE.
It seems this morning that Docker Scout has been flagging CVE-2011-2730 & CVE-2010-1622 against Spring Core 7, specifically 7.0.6
This would appear to be a false positive.
CVE-2011-2730
Spring EL/JSP tag vulnerability in very old Spring 2.5/3.0 lines. Scout attached it to spring-core@7.0.6, but the advisory's affected range is <= 2.5.7.SR022, and the issue is about Spring JSP taglibs, not modern spring-core.
CVE-2010-1622
Spring data-binding RCE in Spring 2.5.x / 3.0.x before fixed releases. Scout again attached it to spring-core@7.0.6 even though the reported affected range is <= 2.5.6.SEC01 / 3.0.3.RELEASE.