[jira] [Comment Edited] (CONFIGURATION-829) Critical security vulnerability in snakeyaml
[ https://issues.apache.org/jira/browse/CONFIGURATION-829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704668#comment-17704668 ] Aaron Coady edited comment on CONFIGURATION-829 at 3/24/23 5:30 PM: It appears this has already been addressed by [https://github.com/apache/commons-configuration/pull/282] The version in the pom was bumped in this PR https://github.com/apache/commons-configuration/pull/283 What release can this be included in? was (Author: acoady): It appears this has already been addressed by [https://github.com/apache/commons-configuration/pull/282] Should we bump the version of snakeyaml in the pom to address this? What release can this be included in? > Critical security vulnerability in snakeyaml > > > Key: CONFIGURATION-829 > URL: https://issues.apache.org/jira/browse/CONFIGURATION-829 > Project: Commons Configuration > Issue Type: Bug > Components: File reloading >Affects Versions: 2.8.0 >Reporter: Aaron Coady >Priority: Major > > This vulnerability is fixed in snakeyaml 2.0 and requires a backwards > incompatible change in the constructor > [https://nvd.nist.gov/vuln/detail/CVE-2022-1471] > > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (CONFIGURATION-829) Critical security vulnerability in snakeyaml
[ https://issues.apache.org/jira/browse/CONFIGURATION-829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704668#comment-17704668 ] Aaron Coady edited comment on CONFIGURATION-829 at 3/24/23 3:41 PM: It appears this has already been addressed by [https://github.com/apache/commons-configuration/pull/282] Should we bump the version of snakeyaml in the pom to address this? What release can this be included in? was (Author: acoady): It appears this has already been addressed by https://github.com/apache/commons-configuration/pull/282 > Critical security vulnerability in snakeyaml > > > Key: CONFIGURATION-829 > URL: https://issues.apache.org/jira/browse/CONFIGURATION-829 > Project: Commons Configuration > Issue Type: Bug > Components: File reloading >Affects Versions: 2.8.0 >Reporter: Aaron Coady >Priority: Major > > This vulnerability is fixed in snakeyaml 2.0 and requires a backwards > incompatible change in the constructor > [https://nvd.nist.gov/vuln/detail/CVE-2022-1471] > > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CONFIGURATION-829) Critical security vulnerability in snakeyaml
[ https://issues.apache.org/jira/browse/CONFIGURATION-829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704668#comment-17704668 ] Aaron Coady commented on CONFIGURATION-829: --- It appears this has already been addressed by https://github.com/apache/commons-configuration/pull/282 > Critical security vulnerability in snakeyaml > > > Key: CONFIGURATION-829 > URL: https://issues.apache.org/jira/browse/CONFIGURATION-829 > Project: Commons Configuration > Issue Type: Bug > Components: File reloading >Affects Versions: 2.8.0 >Reporter: Aaron Coady >Priority: Major > > This vulnerability is fixed in snakeyaml 2.0 and requires a backwards > incompatible change in the constructor > [https://nvd.nist.gov/vuln/detail/CVE-2022-1471] > > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (CONFIGURATION-829) Critical security vulnerability in snakeyaml
Aaron Coady created CONFIGURATION-829: - Summary: Critical security vulnerability in snakeyaml Key: CONFIGURATION-829 URL: https://issues.apache.org/jira/browse/CONFIGURATION-829 Project: Commons Configuration Issue Type: Bug Components: File reloading Affects Versions: 2.8.0 Reporter: Aaron Coady This vulnerability is fixed in snakeyaml 2.0 and requires a backwards incompatible change in the constructor [https://nvd.nist.gov/vuln/detail/CVE-2022-1471] SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)
