[ https://issues.apache.org/jira/browse/OAK-9987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630361#comment-17630361 ]
Mohit Kataria commented on OAK-9987: ------------------------------------ elasticsearch-x-content depends on vulnerable snakeyaml. But as we are now using java client instead, we can remove elasticsearch-x-content from pom. > Oak-search-elastic depends on vulnerable snakeyaml version. > ----------------------------------------------------------- > > Key: OAK-9987 > URL: https://issues.apache.org/jira/browse/OAK-9987 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: indexing > Affects Versions: 1.44.0 > Reporter: Mohit Kataria > Priority: Major > > Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable > to > CVE-2022-38749 MEDIUM Using snakeYAML to parse untrusted YAML files > may be vulnerable to Denial of Service attacks (DOS). If the parser is > running on user supplied input, an attacker may supply content that causes > the parser to crash by stackoverflow. > CVE-2022-38750 MEDIUM Using snakeYAML to parse untrusted YAML files > may be vulnerable to Denial of Service attacks (DOS). If the parser is > running on user supplied input, an attacker may supply content that causes > the parser to crash by stackoverflow. > CVE-2022-25857 MEDIUM The package org.yaml:snakeyaml from 0 and > before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested > depth limitation for collections. > CVE-2022-38751 MEDIUM Using snakeYAML to parse untrusted YAML files > may be vulnerable to Denial of Service attacks (DOS). If the parser is > running on user supplied input, an attacker may supply content that causes > the parser to crash by stackoverflow. > CVE-2022-38752 MEDIUM Using snakeYAML to parse untrusted YAML files > may be vulnerable to Denial of Service attacks (DOS). If the parser is > running on user supplied input, an attacker may supply content that causes > the parser to crash by stack-overflow. -- This message was sent by Atlassian Jira (v8.20.10#820010)