An auditor is questioning why CVE-2024-22243 does not apply to jenkins. Spring framework. can anyone provide more detail please?
See https://spring.io/security/cve-2024-22243. Jenkins has been shipping Spring 5.3.32 or later on the weekly release line since 2.446, on the 2.452.x LTS line since 2.452.1, and on the 2.440.x LTS line since 2.440.3.