Apache 2.17 Security Vulnerability h2-1.4.197.jar and spring-context-5.3.39.jar

[Maflend]

Hello,

I use nuget "Apache.Ignite" with version "2.17.0" and I get an error when checking for vulnerabilities:

Library: com.h2database:h2 (h2-1.4.197.jar)

Vulnerability: CVE-2021-42392 (CRITICAL) Fixed Version: 2.0.206 Title: Remote Code Execution in Console https://avd.aquasec.com/nvd/cve-2021-42392

Vulnerability: CVE-2022-23221 (CRITICAL) Fixed Version: 2.1.210 Title: Loading of custom classes from remote servers through https://avd.aquasec.com/nvd/cve-2022-23221

Link to the MVN where these vulnerabilities are listed: https://mvnrepository.com/artifact/com.h2database/h2/1.4.197

Library: org.springframework:spring-context (spring-context-5.3.39.jar)

Vulnerability: CVE-2024-38820 (MEDIUM) Fixed Version: 6.1.14 Title: The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ... https://avd.aquasec.com/nvd/cve-2024-38820

Vulnerability: CVE-2025-22233 (LOW) Fixed Version: 6.2.7, 6.1.20 Title: CVE-2024-38820 ensured Locale-independent, lowercase conversion for bo ... https://avd.aquasec.com/nvd/cve-2025-22233

Are you planning to update versions to fix vulnerabilities?

[Maflend]

I found this information: https://issues.apache.org/jira/browse/IGNITE-16542 https://github.com/h2database/h2database/pull/2227

Do I understand correctly that the h2database vulnerability will not be fixed in Apache ignite 2?

[magicprinc]

https://gitverse.ru/sbertech/ignite-h2