https://bugzilla.redhat.com/show_bug.cgi?id=1591929
--- Comment #9 from Doran Moppert dmoppert@redhat.com --- Statement:
From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact in the presence of an existing XSS flaw. Given there are currently no XSS flaws in the shipped versions, and the libraries themselves are not used in a vulnerable way, no package update to mitigate this flaw for Open Daylight is required.
The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.