Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please expand on your vulnerability report #17

Closed
darakian opened this issue Oct 13, 2022 · 1 comment
Closed

Please expand on your vulnerability report #17

darakian opened this issue Oct 13, 2022 · 1 comment

Comments

@darakian
Copy link

darakian commented Oct 13, 2022
edited

In GHSA-mjmj-j48q-9wg2
you call out that snakeyaml has a vulnerability in version 1.30 and that the vulnerability has been disclosed. You do not however call out any fixes in either artifact versions or commits. The developers don't seem to have added any clearly related commits after your disclosure date and it's left ambiguous to the reader if a fix exists or is planned.

Commit log: https://bitbucket.org/snakeyaml/snakeyaml/commits/
@sirdarckcat
Copy link
Member

The vulnerability still exists. Upgrading won't fix the issue unfortunately. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content, as it restricts deserialization to only primitive types, thus preventing exploitation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sirdarckcat @darakian