[
https://issues.apache.org/jira/browse/TOMEE-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17675587#comment-17675587
]
Richard Zowalla commented on TOMEE-4169:
----------------------------------------
snakeyaml in TomEE is a transient dependency from jackson-dataformat-yaml,
which is used by OpenAPI.
According to the Jackson people, they are not affected
https://github.com/FasterXML/jackson-dataformats-text/issues/361
Thus, I don't think, that we are affected as well.
> SnakeYAML - CVE-2022-1471
> -------------------------
>
> Key: TOMEE-4169
> URL: https://issues.apache.org/jira/browse/TOMEE-4169
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 8.0.13
> Reporter: Nikhil
> Priority: Major
>
> The security have reported an issue with one of the library ( SnakeYAML )
> which is part of the TomEE distribution.
>
> with TomEE 8.0.13 - we have this library updated to *1.30..* though it is
> never mentioned about the affected versions of this jar but a following
> information is provided -
> {color:#4c9aff}*The maintainers of SnakeYAML have stated in an
> [advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md]
> that SnakeYAML is not designed to be used to process YAML files from
> untrusted sources.*{color}
> {color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since
> there is nothing to update from SnakeYAML perspective but more of a
> configuration / usage of its libraries in respective used projects (here
> TomEE){color}
>
> {color:#172b4d}Please help if there is already discussion around this and
> would be happy to coordinate.{color}
>
> {color:#172b4d}---------------{color}
>
> {*}Summary{*}: SnakeYaml's Constructor() class does not restrict types which
> can be instantiated during deserialization. Deserializing yaml content
> provided by an attacker can lead to remote code execution. We recommend using
> SnakeYaml's SafeConsturctor when parsing untrusted content to restrict
> deserialization.
> {*}Solution{*}: N/A
> {*}Workaround{*}: N/A
--
This message was sent by Atlassian Jira
(v8.20.10#820010)