Recently I'm migrating spring boot legacy application from spring boot version 1.x to 2.7.x and used spring-web and spring-webmvc artifact with version 5..3.37 which is having 1 vulnerability. I'm getting issues with jakarta and javax servlet-api if I upgrade spring-web and spring-webmvc to 6.0.22 as checkmarx suggests.
I tried to upgrade the version of spring-web and spring-webmvc to 6.0.22 to avoid the vulnerability but it didn't work
There's no chance. The fix for CVE-2016-1000027 breaks some applications which use the library. Any breaking change will increase the major version number. If you consider the risk unacceptable you need to use 6.x.x or later.
Spring 2 is better than Spring 1 and this affected Spring 1 too. Learn about the vulnerability, check if it applies to your application and how it can be mitigated. You may be able to dismiss the warning, especially if you're planning to move to Spring 3 soon.