[
https://issues.apache.org/jira/browse/TOMEE-4194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17705922#comment-17705922
]
Richard Zowalla commented on TOMEE-4194:
----------------------------------------
Snakeyaml 2.0 has breaking changes (in constructors) and cannot simply be
updated within TomEE. It needs to be addressed by the maintainers of OpenAPI
impl.
When you use SnakeYAML to configure your application you are totally safe
(given that you control the input). The only issue is when the data to parse
comes from untrusted source - meaning it is downloaded from unknown source
without authentication and authorisation, cf.
https://bitbucket.org/snakeyaml/snakeyaml/src/master/
For now, we need to wait until it is addressed by the 3rd party libs.
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> ---------------------------------------------------------
>
> Key: TOMEE-4194
> URL: https://issues.apache.org/jira/browse/TOMEE-4194
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 8.0.14
> Reporter: RAJU THANNEERU
> Priority: Major
>
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> https://nvd.nist.gov/vuln/detail/CVE-2022-1471
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
