Snakeyaml vulnerability in quarkus 2.15.3 final #31181
Labels
kind/bug
Something isn't working
triage/duplicate
This issue or pull request already exists
triage/invalid
This doesn't seem right
Comments
|
@PratikN-LM There are 2 places in Quarkus where snakeyaml is used, in the Dev Services/UI bootstrap code, where a safe constructor is called and in Quarkus Config system indirectly via smallrye-config which was also patched to use a safe constructor, see #30440. HTH |
sberyozkin
added
triage/duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We use io.quarkus:quarkus-universe-bom:2.15.3.Final jar in our application, which uses a vulnerable artifact snakeyaml. Even the most recent snakeyaml version v1.33 has a high vulnerability that can lead to remote code execution :- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Snakeyaml hasn't offered an updated safe version so far. Since we use quarkus, snakeyaml library is transitively added as well.
Spring boot came up with their analysis on why their use-case of snakeyaml is not vulnerable, even though they use it :- spring-projects/spring-boot#33457
Is there a plan by quarkus to address this challenge/vulnerability that comes with using Snakeyaml? Please let me know if there's any update.
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -aorverNo response
Output of
java -versionNo response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.15.3.Final
Build tool (ie. output of
mvnw --versionorgradlew --version)No response
Additional information
No response
The text was updated successfully, but these errors were encountered: