CVE-2022-1471 in snakeyaml exposable through jackson-dataformat-yaml 2.14.2? #382
Comments
|
jackson does not use the snakeyaml constructors at all, it uses the parser directly |
|
@Emuto SnakeYAML has always been a dependency, so this is not new. But as @yawkat pointed out module DOES NOT use higher-level databinding from SnakeYAML (hence no Constructor of any kind) but just the token sequence interface. As such many CVEs reported lately against SnakeYAML are N/A to |
|
Thanks a lot! :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi everyone,
Upgrading to version 2.14.2 of jackson-dataformat-yaml seems to include the introduction of snakeyaml library as a dependency. This vulnerability is listed as critical in NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-1471. As far as I understand, snakeyaml won't fix this in any new versions, so my question would be - is jackson using snakeyaml in a safe way (not using Constructor() class at all but instead SafeConstructor())?
Thanks and Best Regards!
The text was updated successfully, but these errors were encountered: