[ 
https://issues.apache.org/jira/browse/TOMEE-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nikhil updated TOMEE-4169:
--------------------------
    Description: 
The security have reported an issue with one of the library ( SnakeYAML ) which 
is part of the TomEE distribution.

 

with TomEE 8.0.13 - we have this library updated to *1.30..* though it is never 
mentioned about the affected versions of this jar but a following information 
is provided -

 

{color:#4c9aff}*The maintainers of SnakeYAML have stated in an 
[advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md] 
that SnakeYAML is not designed to be used to process YAML files from untrusted 
sources.*{color}

 

{color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since 
there is nothing to update from SnakeYAML perspective but more of a 
configuration / usage of its libraries in respective used projects (here 
TomEE){color}

 

{color:#172b4d}Please help if there is already discussion around this and would 
be happy to coordinate.{color}

  was:
The security have reported an issue with one of the library ( SnakeYAML ) which 
is part of the TomEE distribution.

 

with TomEE 8.0.13 - we have this library updated to *1.30..* though it is never 
mentioned about the affected versions of this jar but a note is provided to the 
users stating below -

 

{color:#4c9aff}*The maintainers of SnakeYAML have stated in an 
[advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md] 
that SnakeYAML is not designed to be used to be used to process YAML files from 
untrusted sources.*{color}

 

{color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since 
there is nothing to update from SnakeYAML perspective but more of a 
configuration / usage of its libraries in respective used projects (here 
TomEE){color}

 

{color:#172b4d}Please help if there is already discussion around this and would 
be happy to coordinate.{color}


> SnakeYAML - CVE-2022-1471
> -------------------------
>
>                 Key: TOMEE-4169
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4169
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Core Server
>    Affects Versions: 8.0.13
>            Reporter: Nikhil
>            Priority: Major
>
> The security have reported an issue with one of the library ( SnakeYAML ) 
> which is part of the TomEE distribution.
>  
> with TomEE 8.0.13 - we have this library updated to *1.30..* though it is 
> never mentioned about the affected versions of this jar but a following 
> information is provided -
>  
> {color:#4c9aff}*The maintainers of SnakeYAML have stated in an 
> [advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md] 
> that SnakeYAML is not designed to be used to process YAML files from 
> untrusted sources.*{color}
>  
> {color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since 
> there is nothing to update from SnakeYAML perspective but more of a 
> configuration / usage of its libraries in respective used projects (here 
> TomEE){color}
>  
> {color:#172b4d}Please help if there is already discussion around this and 
> would be happy to coordinate.{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to