You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In GHSA-mjmj-j48q-9wg2
you call out that snakeyaml has a vulnerability in version 1.30 and that the vulnerability has been disclosed. You do not however call out any fixes in either artifact versions or commits. The developers don't seem to have added any clearly related commits after your disclosure date and it's left ambiguous to the reader if a fix exists or is planned.
The vulnerability still exists. Upgrading won't fix the issue unfortunately. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content, as it restricts deserialization to only primitive types, thus preventing exploitation.
In GHSA-mjmj-j48q-9wg2
you call out that snakeyaml has a vulnerability in version
1.30
and that the vulnerability has been disclosed. You do not however call out any fixes in either artifact versions or commits. The developers don't seem to have added any clearly related commits after your disclosure date and it's left ambiguous to the reader if a fix exists or is planned.Commit log: https://bitbucket.org/snakeyaml/snakeyaml/commits/
The text was updated successfully, but these errors were encountered: