[
https://issues.apache.org/jira/browse/NIFI-11142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17684699#comment-17684699
]
David Handermann commented on NIFI-11142:
-----------------------------------------
You're welcome, sounds good! SnakeYAML has had several associated
vulnerabilities reported, which has prompted changes in the default behavior of
YAML parsing in more recent versions. If you discover future issues with
potential security implications that have not yet been disclosed to the public,
please contact [[email protected]|mailto:[email protected]] for
initial coordination prior to creating a Jira issue.
> Security fix for SnakeYAML
> --------------------------
>
> Key: NIFI-11142
> URL: https://issues.apache.org/jira/browse/NIFI-11142
> Project: Apache NiFi
> Issue Type: Improvement
> Components: MiNiFi
> Reporter: Robert Liszli
> Assignee: Robert Liszli
> Priority: Minor
> Fix For: 1.20.0
>
>
> *Fix for:*
> SnakeYaml's Constructor() class does not restrict types which can be
> instantiated during deserialization. Deserializing yaml content provided by
> an attacker can lead to remote code execution. We recommend using SnakeYaml's
> SafeConsturctor when parsing untrusted content to restrict deserialization.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
