[jira] [Updated] (OAK-9987) Oak-search-elastic depends on vulnerable snakeyaml version.

Tue, 08 Nov 2022 03:22:07 -0800 


     [ 
https://issues.apache.org/jira/browse/OAK-9987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mohit Kataria updated OAK-9987:
-------------------------------
    Affects Version/s: 1.44.0

> Oak-search-elastic depends on vulnerable snakeyaml version.
> -----------------------------------------------------------
>
>                 Key: OAK-9987
>                 URL: https://issues.apache.org/jira/browse/OAK-9987
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: indexing
>    Affects Versions: 1.44.0
>            Reporter: Mohit Kataria
>            Priority: Major
>
> Description: oak-search-elastic embeds snakeyaml-1.26.jar which is vulnerable 
> to
> ID    CVSS    Summary
> CVE-2022-38749        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38750        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-25857        MEDIUM  The package org.yaml:snakeyaml from 0 and 
> before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested 
> depth limitation for collections.
> CVE-2022-38751        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stackoverflow.
> CVE-2022-38752        MEDIUM  Using snakeYAML to parse untrusted YAML files 
> may be vulnerable to Denial of Service attacks (DOS). If the parser is 
> running on user supplied input, an attacker may supply content that causes 
> the parser to crash by stack-overflow.
> Recommendation:
> Apply one of the following suggestions:
> Remove usage and dependency
> Upgrade to a vulnerability free version of the embedded library. If none is 
> available, upgrade to a less vulnerable version (lower CVSS Score)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to