[jira] [Updated] (OAK-9987) Oak-search-elastic depends on vulnerable snakeyaml version.

Tue, 08 Nov 2022 03:22:03 -0800 


     [ 
https://issues.apache.org/jira/browse/OAK-9987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mohit Kataria updated OAK-9987:
-------------------------------
    Description: 
Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable to

CVE-2022-38749  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-38750  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-25857  MEDIUM  The package org.yaml:snakeyaml from 0 and before 1.31 
are vulnerable to Denial of Service (DoS) due missing to nested depth 
limitation for collections.
CVE-2022-38751  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-38752  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stack-overflow.


  was:
Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable to

ID      CVSS    Summary
CVE-2022-38749  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-38750  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-25857  MEDIUM  The package org.yaml:snakeyaml from 0 and before 1.31 
are vulnerable to Denial of Service (DoS) due missing to nested depth 
limitation for collections.
CVE-2022-38751  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stackoverflow.
CVE-2022-38752  MEDIUM  Using snakeYAML to parse untrusted YAML files may be 
vulnerable to Denial of Service attacks (DOS). If the parser is running on user 
supplied input, an attacker may supply content that causes the parser to crash 
by stack-overflow.
Recommendation:
Apply one of the following suggestions:

Remove usage and dependency
Upgrade to a vulnerability free version of the embedded library. If none is 
available, upgrade to a less vulnerable version (lower CVSS Score)


> Oak-search-elastic depends on vulnerable snakeyaml version.
> -----------------------------------------------------------
>
>                 Key: OAK-9987
>                 URL: https://issues.apache.org/jira/browse/OAK-9987
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: indexing
>    Affects Versions: 1.44.0
>            Reporter: Mohit Kataria
>            Priority: Major
>
> Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable 
> to
> CVE-2022-38749        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38750        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-25857        MEDIUM  The package org.yaml:snakeyaml from 0 and 
> before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested 
> depth limitation for collections.
> CVE-2022-38751        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38752        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stack-overflow.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to