You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@saarw-actimize And as you hopefully know, this CVE -- and virtually every single CVE against SnakeYAML does not actually apply to Jackson YAML module. Functionality that is considered vulnerable to Gadget-style attacks is not used or exposed by this module (has never been; won't).
Unfortunately security tools cannot determine these false positives so there is lots of unnecessary toil for maintainers and users for upgrades that are not actually needed at all.
But such is life in the current CVE/Vuln ecosystem. :-(
Hi dear Jackson team,
I want to inform you that the SnakeYAML dependency has a high CVE, and a few weeks ago there was a release of a new fixed SnakeYAML version 2.0.
I would like to know if you plan to integrate with the new version on your next release.
Thanks,
Saar
The text was updated successfully, but these errors were encountered: