Hi all, we need to support kerberos logins. The grails plugin is relying on this implementation 'org.springframework.security.kerberosspring security kerberos core1.0.1.RELEASE' This has a bunch of CVE's and is quite old. The recent version of org.springframework.security.kerberos is v2.0.0, but says this about its dependencies: "Spring Security Kerberos 2.0.0 is built and tested with JDK 17, Spring Security 6.1.0 and Spring Framework 6.0.9." While JDK 17 seems to work on Grails 6.1.2, the latter dependencies can't be fulfilled as Grails is relying on Spring 5.3. Is our only option to support Kerberos logins using the ancient 1.0.1 of org.springframework.security.kerberos? At a first glance the CVE's seem to be "fine" as they are only caused by transitive dependencies to older spring security versions, which is already mitigated, but it still feels bad. My expectation is, that we need to wait for support of Spring 6. Is that somewhere visible on the horizon? TIA, André

Just use spring security kerberos 1.0.1, update its dependencies to spring security 5.7.x or 5.8.x

@Michael Yan Have you checked the CVE's? I had another look today and I really think they are all related to older versions of the Spring (Security) Framework. Is that also your impression?