[ https://issues.apache.org/jira/browse/NIFI-11142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Liszli resolved NIFI-11142. ---------------------------------- Resolution: Not A Problem The questionable Constructor is not used in the codebase. > Security fix for SnakeYAML > -------------------------- > > Key: NIFI-11142 > URL: https://issues.apache.org/jira/browse/NIFI-11142 > Project: Apache NiFi > Issue Type: Improvement > Components: MiNiFi > Reporter: Robert Liszli > Assignee: Robert Liszli > Priority: Minor > > *Fix for:* > SnakeYaml's Constructor() class does not restrict types which can be > instantiated during deserialization. Deserializing yaml content provided by > an attacker can lead to remote code execution. We recommend using SnakeYaml's > SafeConsturctor when parsing untrusted content to restrict deserialization. -- This message was sent by Atlassian Jira (v8.20.10#820010)