I'm using Spring Web MVC v5.3.39 and I'm affected by vulnerability CVE-2024-38816. According to the advisory message of GitHub, I should update to Spring Web MVC v5.3.40.
However, I can't find the artifact for Spring Web MVC v5.3.40. Neither can I find it on mvnrepository.com.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.3.40</version> <!-- This fails -->
</dependency>
How should this issue be resolved?
Spring 5.3.x Open Source Support ended on August 31th 2024 (source). This means that v5.3.40 is only available for commercial support, and can't be found on a central Maven repository (source).
If you don't have commercial support, you're supposed to update to Spring 6.1.13 (Spring Boot 3.x), which does exist on central Maven repositories.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>6.1.13</version> <!-- This works -->
</dependency>