High CVE on 'SnakeYAML' dependency #405
Labels
yaml
Issue related to YAML format backend
Comments
|
Please see #392 and the issues linked from there |
|
@saarw-actimize And as you hopefully know, this CVE -- and virtually every single CVE against SnakeYAML does not actually apply to Jackson YAML module. Functionality that is considered vulnerable to Gadget-style attacks is not used or exposed by this module (has never been; won't). Unfortunately security tools cannot determine these false positives so there is lots of unnecessary toil for maintainers and users for upgrades that are not actually needed at all. But such is life in the current CVE/Vuln ecosystem. :-( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi dear Jackson team,
I want to inform you that the SnakeYAML dependency has a high CVE, and a few weeks ago there was a release of a new fixed SnakeYAML version 2.0.
I would like to know if you plan to integrate with the new version on your next release.
Thanks,
Saar
The text was updated successfully, but these errors were encountered: