[jira] [Resolved] (CONFIGURATION-829) Critical security vulnerability in snakeyaml

Gary D. Gregory (Jira) Fri, 24 Mar 2023 10:42:37 -0700


     [ 
https://issues.apache.org/jira/browse/CONFIGURATION-829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gary D. Gregory resolved CONFIGURATION-829.
-------------------------------------------
    Fix Version/s: 2.9.0
       Resolution: Fixed

> Critical security vulnerability in snakeyaml
> --------------------------------------------
>
>                 Key: CONFIGURATION-829
>                 URL: https://issues.apache.org/jira/browse/CONFIGURATION-829
>             Project: Commons Configuration
>          Issue Type: Bug
>          Components: File reloading
>    Affects Versions: 2.8.0
>            Reporter: Aaron Coady
>            Priority: Major
>             Fix For: 2.9.0
>
>
> This vulnerability is fixed in snakeyaml 2.0 and requires a backwards 
> incompatible change in the constructor
> [https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
>  
> SnakeYaml's Constructor() class does not restrict types which can be 
> instantiated during deserialization. Deserializing yaml content provided by 
> an attacker can lead to remote code execution. We recommend using SnakeYaml's 
> SafeConsturctor when parsing untrusted content to restrict deserialization.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (CONFIGURATION-829) Critical security vulnerability in snakeyaml

Reply via email to