Replies: 1 comment 2 replies
-
|
@akhil-lm There is no vulnerability to fix as far as I understand it. So there is nothing to fix. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
jackson-dataformat-yaml uses snakeyaml ParserImpl to do low level parsing - it does not use snakeyaml Yaml class that is reported to have issues in CVE-2022-1471 |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We use com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.4 jar in our application, which uses a vulnerable artifact snakeyaml. Even the most recent snakeyaml version v1.33 has a high vulnerability that can lead to remote code execution :- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Snakeyaml hasn't offered an updated safe version so far. Since we use Jackson-dataformat-yaml, snakeyaml library is transitively added as well.
Spring boot came up with their analysis on why their use-case of snakeyaml is not vulnerable, even though they use it :- spring-projects/spring-boot#33457
Is there a plan by Jackson to address this challenge/vulnerability that comes with using Snakeyaml? Please let me know if there's any update.
Beta Was this translation helpful? Give feedback.
All reactions