Upgrade to SnakeYAML to address CVE-2017-18640

SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service). * https://nvd.nist.gov/vuln/detail/CVE-2017-18640 * https://bitbucket.org/asomov/snakeyaml/issues/377 Refs FasterXML/jackson-dataformats-text#187 Refs #3223
dropwizard · Apr 4, 2020 · 4138c94 · 4138c94
1 parent e0c32db
commit 4138c94
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/dropwizard-bom/pom.xml b/dropwizard-bom/pom.xml
@@ -341,6 +341,12 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!-- CVE-2017-18640: https://nvd.nist.gov/vuln/detail/CVE-2017-18640 -->
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>1.26</version>
+            </dependency>
 
             <!-- Jersey -->
             <dependency>