Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI #15339

Closed
nvp152 opened this issue Nov 3, 2022 · 4 comments · Fixed by #16382
Closed

snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI #15339

nvp152 opened this issue Nov 3, 2022 · 4 comments · Fixed by #16382
Assignees
@abstractj
Labels
area/admin/cli kind/bug Categorizes a PR related to a bug
Milestone
20.0.3

Comments

@nvp152
Copy link

nvp152 commented Nov 3, 2022

Area

admin/cli

Describe the bug

The version of snakeyaml should be upgrade to 1.26 to 1.31 in the artifact below to address a "high" vuln

keycloak-admin-cli-20.0.0.jar
keycloak-client-registration-cli-20.0.0.jar

See: GHSA-3mc7-4q67-w48m

The Anchore docker image scanner (among others) is flagging that vuln.

Version

20.0.0

Expected behavior

Neither keycloak-admin-cli, nor keycloak-client-registration-cli should have "high" vulnerabilities.

Actual behavior

Both keycloak-admin-cli and keycloak-client-registration-cli have "high" vulnerabilities.

How to Reproduce?

The snakeyaml version of 1.26 being used is known to be vulnerable.

Anything else?

No response
@nvp152 nvp152 added kind/bug Categorizes a PR related to a bug status/triage labels Nov 3, 2022
@ghost ghost added the area/admin/cli label Nov 3, 2022
@vmuzikar
Copy link
Contributor

@abstractj Just checking before we work on it if this is something that you are perhaps already handling?

@abstractj
Copy link
Contributor

abstractj commented Nov 10, 2022
edited
Loading

@vmuzikar I'm afraid that this is something that we are unable to fix at the moment. To be honest, I haven't looked into this, but it is possible to find a detailed explanation here #14850.

Unfortunately, I didn't hear anything back from uap-java maintainers since ua-parser/uap-java#74 was created.

If you have any questions, please let me know.

@pedroigor
Copy link
Contributor

I'm closing this one as per last comment from @abstractj.

@ghost ghost removed the status/triage label Nov 16, 2022
@pedroigor pedroigor reopened this Nov 16, 2022
@pedroigor pedroigor closed this as not planned Won't fix, can't repro, duplicate, stale Nov 16, 2022
@trixpan
Copy link
Contributor

trixpan commented Dec 15, 2022

@abstractj @pedroigor given the usage of ua-parser is largely cosmetic, wouldn't it be easier to remove/refactor/port to another library

@abstractj abstractj mentioned this issue Dec 16, 2022
Closed
@abstractj abstractj reopened this Dec 16, 2022
abstractj added a commit to abstractj/keycloak that referenced this issue Dec 22, 2022
@abstractj
CVE-2022-25857 snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI
c3e407c 
Resolves keycloak#15339

CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth
limitation for collections
More details:
- ua-parser/uap-java#74
stianst added a commit to stianst/keycloak that referenced this issue Jan 11, 2023
@stianst
Set Snakeyaml to 1.33 in parent pom
5f3cde6 
Closes keycloak#15339
@stianst stianst mentioned this issue Jan 11, 2023
Merged
stianst added a commit that referenced this issue Jan 12, 2023
@stianst
Set Snakeyaml to 1.33 in parent pom (#16382)
0319e0f 
Closes #15339
stianst added a commit to stianst/keycloak that referenced this issue Jan 12, 2023
@stianst
Set Snakeyaml to 1.33 in parent pom (keycloak#16382)
c38f627 
Closes keycloak#15339
@stianst stianst mentioned this issue Jan 12, 2023
Merged
@stianst stianst added this to the 20.0.3 milestone Jan 12, 2023
vmuzikar pushed a commit that referenced this issue Jan 12, 2023
@stianst @vmuzikar
Set Snakeyaml to 1.33 in parent pom (#16382)
8313baa 
Closes #15339
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abstractj abstractj

Labels
area/admin/cli kind/bug Categorizes a PR related to a bug
Projects
None yet
Milestone
20.0.3
6 participants
@abstractj @pedroigor @stianst @trixpan @vmuzikar @nvp152