[ https://issues.apache.org/jira/browse/NIFI-11142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Liszli reassigned NIFI-11142: ------------------------------------ Assignee: Robert Liszli > Security fix for SnakeYAML > -------------------------- > > Key: NIFI-11142 > URL: https://issues.apache.org/jira/browse/NIFI-11142 > Project: Apache NiFi > Issue Type: Improvement > Components: MiNiFi > Reporter: Robert Liszli > Assignee: Robert Liszli > Priority: Minor > Fix For: 1.20.0 > > > *Fix for:* > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)