Replies: 1 comment 2 replies
-
|
@akhil-lm There is no vulnerability to fix as far as I understand it. So there is nothing to fix. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
jackson-dataformat-yaml uses snakeyaml ParserImpl to do low level parsing - it does not use snakeyaml Yaml class that is reported to have issues in CVE-2022-1471 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
We use com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.4 jar in our application, which uses a vulnerable artifact snakeyaml. Even the most recent snakeyaml version v1.33 has a high vulnerability that can lead to remote code execution :- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Snakeyaml hasn't offered an updated safe version so far. Since we use Jackson-dataformat-yaml, snakeyaml library is transitively added as well.
Spring boot came up with their analysis on why their use-case of snakeyaml is not vulnerable, even though they use it :- spring-projects/spring-boot#33457
Is there a plan by Jackson to address this challenge/vulnerability that comes with using Snakeyaml? Please let me know if there's any update.
Beta Was this translation helpful? Give feedback.
All reactions