Update dependency version of org.yaml.snakeyaml to 1.31 to resolve [CVE-2022-25857]
#331
Comments
|
Please elaborate. I don't have time to check out links trying to figure out what the ask is. |
|
Denial of Service (DoS) Affecting [org.yaml:snakeyaml] version < 0.1.31 Affected versions of this package are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. |
|
#328 already updated the snakeyaml version. Until a release of that is available, you can declare the dependency to 1.31 in your build explicitly. |
|
@yawkat since there's a CVE maybe we should backport this into 2.13 branch, planning to release 2.13.4 relatively soon. EDIT: 2.13.4 was released 2 weeks ago: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.4 and has SnakeYAML 1.31 dependency. For older versions it should be possible to just force this version with Maven |
|
Hello, |
|
@AlexJacobs95 We have done that in different PR, and it will be included in 2.13.5 and 2.14.0. In the meantime, however, you can add an override to force 1.32 version to be used: this is fully compatible with earlier versions. |
|
snakeyaml 1.32 will probably only be supported in jackson 2.14.0 because it introduces a limit of 3Mb on the size of Yaml data that can be parsed. The 2.14.0 will allow the snakeyaml LoaderOptions to be set on the jackson YAMLFactory so that users can override the settings as they wish. #339 |
cowtowncoder
changed the title
org.yaml.snakeyaml to 1.32 to resolve [CVE-2022-25857]
cowtowncoder
changed the title
org.yaml.snakeyaml to 1.32 to resolve [CVE-2022-25857]org.yaml.snakeyaml to 1.31 to resolve [CVE-2022-25857]
When can 2.14.0 get released? @pjfanning |
|
@wanjinyou When it is ready. Hopefully within 2-3 weeks. |
CVE-2022-25857
Github commit snakeyaml
Bitbucket Issue
Bitbucket commit
The text was updated successfully, but these errors were encountered: