-
Notifications
You must be signed in to change notification settings - Fork 416
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SnakeYAML CVE-2022-1471 is fixed in 2.0 #22
Comments
Is the URL above accessible? The closest I could find that is accessible to me (thanks to a link in Blackduck KB) is a pull request 44, https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44 The Google security advisory on SnakeYAML has few public details either (run.sh is not included). Only the project's tag 2.0 README and a Wiki page CVE & NIST imply that the CVEs against SnakeYAML are not exploitable unless the parser receives input from untrusted sources. The Google advisory is not clear as to where and why the Constructor class would be used. A SnakeYAML wiki page on CVE-2022-1471 ensures that the use of SnakeYAML in Spring was already safe and that many CVEs and tools ignore the exploit conditions, generating noisy alerts instead. Was the (white-listing) fix breaking major contracts with the consumers of the library to deserve a new major version? |
I've emailed the maintainer to ask to make the issue public again |
@JLLeitschuh Does CVE-2022-1471 vulnerability apply if one uses SafeConstructor but with a SnakeYaml version of 1.33 or below? |
From the maintainer regarding why that issue is not public currently:
|
If you are using |
@JLLeitschuh Thank you for confirming. Appreciate it. |
The link works again now! |
Hey @rcorrea35
I spent a ton of time working with this maintainer and they finally fixed the security vulnerability in version 2.0
Please review the following issue:
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
Please update your advisory, and the CVE to reflect this! 😃
The text was updated successfully, but these errors were encountered: