CVE-2022-1471 ? -> Not Applicable to jackson-dataformat-yaml

[jpcmonster]

Hi - are you able to comment on the usage of snakeyaml regarding CVE-2022-1471?
Is the team able to make a statement like this one?
spring-projects/spring-boot#33457 (comment)
Thanks!

|    |    |         +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.0
|    |    |         |    +--- com.fasterxml.jackson.core:jackson-databind:2.14.0 (*)
|    |    |         |    +--- org.yaml:snakeyaml:1.33 -> 1.32
|    |    |         |    +--- com.fasterxml.jackson.core:jackson-core:2.14.0 (*)
|    |    |         |    \--- com.fasterxml.jackson:jackson-bom:2.14.0 (*)

[cowtowncoder]

Jackson YAML module does not use SnakeYAML's databinding level for anything -- so neither Constructor nor its subtypes are used for anything. Only token-/event-stream decoding (and reference resolution) is used.

So as far as I can see that CVE is N/A for jackson-dataformat-yaml.

[jphelp32]

@cowtowncoder does jackson use any of the parts of snakeyaml that have been updated in a backwardly incompatible way with version 2.0 or 2.1? https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
thanks

[yawkat]

@jphelp32 i think possibly before #371, but the latest jackson versions are compatible with snakeyaml 2.0 so you can upgrade if you want.

[cowtowncoder]

As far as I know, changes made in 2.14 made 2.14.2 work with SnakeYAML 2.x, but prior versions used one method/constructor that was deprecated in 1.33 and removed from 2.0.

So upgrade to 2.14.2 is probably needed for anyone wanting to use SnakeYAML 2.x.