-
-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency org.yaml:snakeyaml, leading to CVE problem #563
Comments
Thanks for the PR. ✋ Job Link: |
The build failures are mainly due to the large difference between the modified version of jackson-dataformat-csv and the previous version, which has caused some build failures. It may be better to directly modify the version of its indirect dependency snakeyaml, in order to resolve these issues. |
Hi. Is this still open for contribution? |
Hi, can I work on this? |
It looks like the problem description and the requirement to fix(what to fix) are not clear enough in this ticket. |
@CVEDetect , what does this ticket intend to solve? In other way: |
@baulea I think we won't have this problem anymore after the recent changes we made. What do you think? |
@a1shadows You are right, this issue is already solved. Now com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.4 |
Hi, In /junit5-testing,there is a dependency org.yaml:snakeyaml:1.23 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.
The text was updated successfully, but these errors were encountered: