Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update Snakeyaml for indirect dependencies

Description

Snakeyaml is updated for our jvm. But CVE-2022-25857 is still flagged by indirect dependencies in our 2023 / 2024 scans. This needs to be resolved.

CVE-2022-25857 should be assessed and rating for our use as well.

Acceptance / Success Criteria

None

Activity

Show:

Christian Pape October 29, 2024 at 12:11 PM

Merged.

Christian Pape October 24, 2024 at 11:45 AM

Please review:
* PR:

The trivy-scans will still find snakeyaml v1.29. This is coming from the prom-jmx-exporter v0.16.1 which is installed in deploy-base. This also needs to be updated to at least v0.17.1.

Nishtha Kaura October 8, 2024 at 2:14 AM

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

On further investigation, it is considered as minor vulnerability as long as you trust the source of the YAML you are feeding to SnakeYAML which is applicable in our case.

snakeyaml / snakeyaml / wiki / CVE & NIST — Bitbucket

CVSS v3.1 Vector

AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

Score : 4.8 Medium

Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Priority

Parent

PagerDuty

Created October 3, 2024 at 7:35 PM
Updated December 11, 2024 at 12:17 PM
Resolved October 29, 2024 at 12:11 PM