[
https://issues.apache.org/jira/browse/TOMEE-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nikhil updated TOMEE-4169:
--------------------------
Description:
The security have reported an issue with one of the library ( SnakeYAML ) which
is part of the TomEE distribution.
with TomEE 8.0.13 - we have this library updated to *1.30..* though it is never
mentioned about the affected versions of this jar but a following information
is provided -
{color:#4c9aff}*The maintainers of SnakeYAML have stated in an
[advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md]
that SnakeYAML is not designed to be used to process YAML files from untrusted
sources.*{color}
{color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since
there is nothing to update from SnakeYAML perspective but more of a
configuration / usage of its libraries in respective used projects (here
TomEE){color}
{color:#172b4d}Please help if there is already discussion around this and would
be happy to coordinate.{color}
was:
The security have reported an issue with one of the library ( SnakeYAML ) which
is part of the TomEE distribution.
with TomEE 8.0.13 - we have this library updated to *1.30..* though it is never
mentioned about the affected versions of this jar but a note is provided to the
users stating below -
{color:#4c9aff}*The maintainers of SnakeYAML have stated in an
[advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md]
that SnakeYAML is not designed to be used to be used to process YAML files from
untrusted sources.*{color}
{color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since
there is nothing to update from SnakeYAML perspective but more of a
configuration / usage of its libraries in respective used projects (here
TomEE){color}
{color:#172b4d}Please help if there is already discussion around this and would
be happy to coordinate.{color}
> SnakeYAML - CVE-2022-1471
> -------------------------
>
> Key: TOMEE-4169
> URL: https://issues.apache.org/jira/browse/TOMEE-4169
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 8.0.13
> Reporter: Nikhil
> Priority: Major
>
> The security have reported an issue with one of the library ( SnakeYAML )
> which is part of the TomEE distribution.
>
> with TomEE 8.0.13 - we have this library updated to *1.30..* though it is
> never mentioned about the affected versions of this jar but a following
> information is provided -
>
> {color:#4c9aff}*The maintainers of SnakeYAML have stated in an
> [advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md]
> that SnakeYAML is not designed to be used to process YAML files from
> untrusted sources.*{color}
>
> {color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since
> there is nothing to update from SnakeYAML perspective but more of a
> configuration / usage of its libraries in respective used projects (here
> TomEE){color}
>
> {color:#172b4d}Please help if there is already discussion around this and
> would be happy to coordinate.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)