[
https://issues.apache.org/jira/browse/NIFI-11142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17684697#comment-17684697
]
David Handermann commented on NIFI-11142:
-----------------------------------------
For additional clarification, the no-argument SnakeYAML {{Constructor}} is
deprecated, and does use the generic {{Object.class}} reference, versus other
constructor options that have a more restricted set of default objects, so
problematic usage depends on the particular case.
> Security fix for SnakeYAML
> --------------------------
>
> Key: NIFI-11142
> URL: https://issues.apache.org/jira/browse/NIFI-11142
> Project: Apache NiFi
> Issue Type: Improvement
> Components: MiNiFi
> Reporter: Robert Liszli
> Assignee: Robert Liszli
> Priority: Minor
> Fix For: 1.20.0
>
>
> *Fix for:*
> SnakeYaml's Constructor() class does not restrict types which can be
> instantiated during deserialization. Deserializing yaml content provided by
> an attacker can lead to remote code execution. We recommend using SnakeYaml's
> SafeConsturctor when parsing untrusted content to restrict deserialization.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
