Several CVEs through dependency on outdated WSS4J DOM WS Security

[snv]

Even after upgrading to the recent 3.2.0 Spring Boot release i still get a critical vulnerability alert, because spring-ws-security still (transitively) pulls in a flagged versions.

[INFO] --- dependency:3.6.1:tree (default-cli) @ server ---
[INFO] [My Project]
[INFO] +- org.springframework.ws:spring-ws-security:jar:4.0.8:compile
[INFO] |  \- org.apache.wss4j:wss4j-ws-security-dom:jar:2.4.1:compile
[INFO] |     \- org.apache.wss4j:wss4j-ws-security-common:jar:2.4.1:compile
[INFO] |        \- org.opensaml:opensaml-saml-impl:jar:3.4.6:compile
[INFO] |           \- org.opensaml:opensaml-security-impl:jar:3.4.6:compile
[INFO] |              \- org.opensaml:opensaml-security-api:jar:3.4.6:compile
[INFO] |                 \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
[INFO] \- org.springframework.security:spring-security-rsa:jar:1.1.1:compile
[INFO]    \- org.bouncycastle:bcprov-jdk18on:jar:1.74:compile

This pulls in several CVEs.
For example, directly in org.apache.wss4j:wss4j-ws-security-dom:jar:2.4.1

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169

And the critically scored one from BouncyCastle:

• https://www.cve.org/CVERecord?id=CVE-2018-1000613

[cachescrubber]

See also #1358. Obviously, if time passes, it doesn't get any better.