[ https://issues.apache.org/jira/browse/CONFIGURATION-829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary D. Gregory resolved CONFIGURATION-829. ------------------------------------------- Fix Version/s: 2.9.0 Resolution: Fixed > Critical security vulnerability in snakeyaml > -------------------------------------------- > > Key: CONFIGURATION-829 > URL: https://issues.apache.org/jira/browse/CONFIGURATION-829 > Project: Commons Configuration > Issue Type: Bug > Components: File reloading > Affects Versions: 2.8.0 > Reporter: Aaron Coady > Priority: Major > Fix For: 2.9.0 > > > This vulnerability is fixed in snakeyaml 2.0 and requires a backwards > incompatible change in the constructor > [https://nvd.nist.gov/vuln/detail/CVE-2022-1471] > > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)