[jira] [Commented] (OAK-9987) Oak-search-elastic depends on vulnerable snakeyaml version.

Tue, 08 Nov 2022 03:24:07 -0800 


    [ 
https://issues.apache.org/jira/browse/OAK-9987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630361#comment-17630361
 ] 

Mohit Kataria commented on OAK-9987:
------------------------------------

elasticsearch-x-content depends on vulnerable snakeyaml. But as we are now 
using java client instead, we can remove elasticsearch-x-content from pom.

> Oak-search-elastic depends on vulnerable snakeyaml version.
> -----------------------------------------------------------
>
>                 Key: OAK-9987
>                 URL: https://issues.apache.org/jira/browse/OAK-9987
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: indexing
>    Affects Versions: 1.44.0
>            Reporter: Mohit Kataria
>            Priority: Major
>
> Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable 
> to
> CVE-2022-38749        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38750        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-25857        MEDIUM  The package org.yaml:snakeyaml from 0 and 
> before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested 
> depth limitation for collections.
> CVE-2022-38751        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38752        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stack-overflow.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to