I am doing an upgrade of all my dependencies of my spring-boot project but I cannot upgrade ognl dependency from version 3.1.12 (containing the vulnerability CVE-2020-15250) to the last version 3.3.3 because I use the process() function on org.thymeleaf.TemplateEngine and I have the following error if I try to force the version of ognl dependency to 3.3.3 in my pom.xml:
java.lang.NoClassDefFoundError: ognl/DefaultMemberAccess
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at org.thymeleaf.standard.expression.OGNLVariableExpressionEvaluator.<clinit>(OGNLVariableExpressionEvaluator.java:76)
at org.thymeleaf.standard.StandardDialect.getVariableExpressionEvaluator(StandardDialect.java:179)
at org.thymeleaf.standard.StandardDialect.getExecutionAttributes(StandardDialect.java:393)
at org.thymeleaf.DialectSetConfiguration.build(DialectSetConfiguration.java:263)
at org.thymeleaf.EngineConfiguration.<init>(EngineConfiguration.java:123)
at org.thymeleaf.TemplateEngine.initialize(TemplateEngine.java:336)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1079)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1059)
at org.thymeleaf.TemplateEngine.process(TemplateEngine.java:1048)
It seems that in version 2.7.2 of spring-boot-starter-thymeleaf, the version 3.0.15.RELEASE of thymeleaf is used and this version try to use DefaultMemberAccess in ognl that is not available anymore after the version 3.2.1 of ognl according to what I saw.
I do not want to keep a dependency that have a vulnerability (ognl) but the version of thymeleaf in the last spring-boot version does not permit me to upgrade ognl because of that error.
Am I blocked for the upgrade or is it possible to do something please?
As @Andy Wilkinson said, the solution was to replace the new TemplateEngine() by new SpringTemplateEngine().
By doing that, OGNL seems to be useless because SpringTemplateEngine uses SpEL instead of OGNL if I understand.
Thank you for your help.