Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High CVE on 'SnakeYAML' dependency #405

Closed
saarw-actimize opened this issue Mar 19, 2023 · 2 comments
Closed

High CVE on 'SnakeYAML' dependency #405

saarw-actimize opened this issue Mar 19, 2023 · 2 comments
Labels
yaml Issue related to YAML format backend

Comments

@saarw-actimize
Copy link

Hi dear Jackson team,

I want to inform you that the SnakeYAML dependency has a high CVE, and a few weeks ago there was a release of a new fixed SnakeYAML version 2.0.

I would like to know if you plan to integrate with the new version on your next release.

Thanks,
Saar

@yawkat
Copy link
Member

yawkat commented Mar 19, 2023

Please see #392 and the issues linked from there

@yawkat yawkat closed this as not planned Won't fix, can't repro, duplicate, stale Mar 19, 2023
@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 19, 2023

@saarw-actimize And as you hopefully know, this CVE -- and virtually every single CVE against SnakeYAML does not actually apply to Jackson YAML module. Functionality that is considered vulnerable to Gadget-style attacks is not used or exposed by this module (has never been; won't).

Unfortunately security tools cannot determine these false positives so there is lots of unnecessary toil for maintainers and users for upgrades that are not actually needed at all.

But such is life in the current CVE/Vuln ecosystem. :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
yaml Issue related to YAML format backend
Projects
None yet
Development

No branches or pull requests

3 participants