Skip to content

Commit

Permalink
[CVE] Update snakeyaml dependency (#4341)
Browse files Browse the repository at this point in the history
The package `org.yaml:snakeyaml` before version 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Details at https://nvd.nist.gov/vuln/detail/CVE-2022-25857

Signed-off-by: Rabi Panda <adnapibar@gmail.com>
  • Loading branch information
adnapibar authored Aug 30, 2022
1 parent beb09af commit 4bccdbe
Show file tree
Hide file tree
Showing 4 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- Add timeout on Mockito.verify to reduce flakyness in testReplicationOnDone test([#4314](https://github.com/opensearch-project/OpenSearch/pull/4314))

### Security
- CVE-2022-25857 org.yaml:snakeyaml DOS vulnerability ([#4341](https://github.com/opensearch-project/OpenSearch/pull/4341))

## [2.x]
### Added
Expand Down
2 changes: 1 addition & 1 deletion buildSrc/version.properties
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spatial4j = 0.7
jts = 1.15.0
jackson = 2.13.3
jackson_databind = 2.13.3
snakeyaml = 1.26
snakeyaml = 1.31
icu4j = 70.1
supercsv = 2.4.0
log4j = 2.17.1
Expand Down
1 change: 0 additions & 1 deletion libs/x-content/licenses/snakeyaml-1.26.jar.sha1

This file was deleted.

1 change: 1 addition & 0 deletions libs/x-content/licenses/snakeyaml-1.31.jar.sha1
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
cf26b7b05fef01e7bec00cb88ab4feeeba743e12

0 comments on commit 4bccdbe

Please sign in to comment.