Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-1471 still in Spring Boot 2.7.18 #38577

Closed
JeromeSimmonds opened this issue Nov 28, 2023 · 2 comments
Closed

CVE-2022-1471 still in Spring Boot 2.7.18 #38577

JeromeSimmonds opened this issue Nov 28, 2023 · 2 comments
Labels
status: duplicate A duplicate of another issue

Comments

@JeromeSimmonds
Copy link

JeromeSimmonds commented Nov 28, 2023
edited by scottfrederick
Loading

Hi,

What workaround does the Spring Boot team recommend as Spring Boot 2.7.18 that just got released still contains the CVE-2022-1471 vulnerability from snakeyaml 1.30?
I suppose using snakeyaml 2.x is not an option?

Thanks.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 28, 2023
@scottfrederick scottfrederick changed the title CVE-2022-1471 still in Spring Boot 2.18 CVE-2022-1471 still in Spring Boot 2.7.18 Nov 28, 2023
@scottfrederick
Copy link
Contributor

I assume you meant Spring Boot 2.7.18 instead of 2.18, and edited your question accordingly. If that's not the case then please clarify.

See the discussion in #33457 for some options, which include not using YAML for property files and upgrading to a newer version of Spring Boot that does use Snake Yaml 2.x.

@scottfrederick scottfrederick closed this as not planned Won't fix, can't repro, duplicate, stale Nov 28, 2023
@scottfrederick scottfrederick added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 28, 2023
@JeromeSimmonds
Copy link
Author

Yes, 2.7.18, thanks for fixing, and for your answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@scottfrederick @JeromeSimmonds @spring-projects-issues