Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: CVE-2017-18640 with org.yaml : snakeyaml : 1.17 #2231

Closed
ghost opened this issue Jan 15, 2020 · 3 comments
Closed

security: CVE-2017-18640 with org.yaml : snakeyaml : 1.17 #2231

ghost opened this issue Jan 15, 2020 · 3 comments
Labels
Compliance

Comments

@ghost
Copy link

ghost commented Jan 15, 2020

One of our transitive dependencies with snakeyaml is causing a new alert/security blocker for builds.
The CVE abstract states the developer of the package will not fix the issue.
The issue is related to programmatically consuming YML with "malicious" dependencies causing memory outages, which falls way beyond our limited usage of static yml resources for Spring configuration.

Therefore, the issue should be waived with a small description of how our usage does not make Vorto vulnerable.

@kolotu could you please assign to @t-gauss , as he's the only one able to waive at this time?

Note: this is a blocker for processing pull requests at this time.
@kolotu
Copy link
Member

kolotu commented Jan 15, 2020

I can't assign to @t-gauss for some reason. He doesn't show up in the list.

@t-gauss
Copy link
Contributor

t-gauss commented Jan 16, 2020

Waived it.

@ghost
Copy link
Author

ghost commented Jan 16, 2020

Thanks @t-gauss

@ghost ghost closed this as completed Jan 16, 2020
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Compliance
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolotu @t-gauss