Dependency org.yaml:snakeyaml, leading to CVE problem #181
Description
Hi, In /legend-shared-pac4j-kerberos,there is a dependency org.yaml:snakeyaml:1.26 that calls the risk method.
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
org.finos.legend.server.pac4j.kerberos.LocalCredentials: getUserId()Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/pac4j/pac4j-config/3.0.0/pac4j-config-3.0.0.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] org.finos.legend.shared:legend-shared-pac4j-kerberos:jar:0.23.4-SNAPSHOT
[INFO] +- org.pac4j:pac4j-kerberos:jar:3.8.3:compile
[INFO] | \- org.pac4j:pac4j-core:jar:3.8.3:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:provided
[INFO] +- org.finos.legend.shared:legend-shared-pac4j:jar:0.23.4-SNAPSHOT:compile
[INFO] | +- org.pac4j:dropwizard-pac4j:jar:3.0.0:compile
[INFO] | | +- org.pac4j:pac4j-config:jar:3.0.0:compile
[INFO] | | | \- com.zaxxer:HikariCP:jar:2.7.6:compile
[INFO] | | +- org.pac4j:jersey225-pac4j:jar:3.0.0:compile
[INFO] | | | \- org.pac4j.jax-rs:core:jar:3.0.0:compile
[INFO] | | | \- javax.inject:javax.inject:jar:1:compile
[INFO] | | \- org.pac4j:j2e-pac4j:jar:4.0.0:compile
[INFO] | +- org.commonjava.mimeparse:mimeparse:jar:0.1.3.3:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.11.2:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.2:compile
[INFO] | | +- org.yaml:snakeyaml:jar:1.26:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.11.2:compile
[INFO] | +- javax.ws.rs:javax.ws.rs-api:jar:2.1.1:compile
[INFO] | +- com.google.guava:guava:jar:30.0-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | \- org.mongodb:mongo-java-driver:jar:3.12.8:compile
[INFO] \- junit:junit:jar:4.13.1:test
[INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
Suggested solutions:
Update dependency version
Thank you very much.