Recently it’s been noticed that spring-core-5.2.1.RELEASE.jar is getting flagged for “high" security vulnerability CVE-2020-5398.
Analysis shows that Geode does not use Spring in a manner that would expose this vulnerability (none of our REST apis or pulse set a Content-Disposition header derived from user-supplied input). The risk of bringing GEODE-7970 is low. This patch update from 5.2.1 to 5.2.5 brings bug fixes only. This exact version was on develop from Apr 8 - Apr 10 & passed all tests. This fix is critical to avoid false positives in automated vulnerability scans. -Owen
