CVE-2022-1471 - Dependency Snakeyaml Critical 9.8 score vulnerability #81
Comments
|
I think it is safe to update SnakeYAML to 2.0. See release notes: https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes PR for this project: #82 |
|
Is there an ETA on when the next release will be made that contains 82 and/or 83? |
|
I don’t have a specific eta but I will do it once I have some time to evaluate all the recent PRs and requests |
|
@bpossolo My suggestion would be to make a release that is only the individual pull request to update the SnakeYAML dependency as it has a security vulnerability. |
|
from my understanding, the “security vulnerability” is not a real vulnerability as has been pointed out by the maintainers of snakeyml. i need to figure out if the best path forward is to use a different lib (doesn’t introduce breaking change) or if it should be done at build time (introduced breaking change) |
|
Come on. It's been six more months. Just release an update so all the Maven dependencies can be updated to bring in the version of SnakeYAML that doesn't flag a CVE. It doesn't matter if you think it's a real or imaginary vulnerability. Tools flag the dependencies as having CVEs. |
|
Guys can you please release a new version ... |
|
Could you please release a version with snake yaml 2.0 ? |
|
please.. this is really urgent! Can we release version with snake yaml 2.x? |
|
I'm pleased to announce version 1.6.1 has been released to Maven Central and the security vulnerability has been addressed. see here for what's changed |
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Fixed in snakeyaml version 2.0
The text was updated successfully, but these errors were encountered: