-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI #15339
Comments
@abstractj Just checking before we work on it if this is something that you are perhaps already handling? |
@vmuzikar I'm afraid that this is something that we are unable to fix at the moment. To be honest, I haven't looked into this, but it is possible to find a detailed explanation here #14850. Unfortunately, I didn't hear anything back from uap-java maintainers since ua-parser/uap-java#74 was created. If you have any questions, please let me know. |
I'm closing this one as per last comment from @abstractj. |
@abstractj @pedroigor given the usage of ua-parser is largely cosmetic, wouldn't it be easier to remove/refactor/port to another library |
Resolves keycloak#15339 CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections More details: - ua-parser/uap-java#74
Area
admin/cli
Describe the bug
The version of snakeyaml should be upgrade to 1.26 to 1.31 in the artifact below to address a "high" vuln
keycloak-admin-cli-20.0.0.jar
keycloak-client-registration-cli-20.0.0.jar
See: GHSA-3mc7-4q67-w48m
The Anchore docker image scanner (among others) is flagging that vuln.
Version
20.0.0
Expected behavior
Neither keycloak-admin-cli, nor keycloak-client-registration-cli should have "high" vulnerabilities.
Actual behavior
Both keycloak-admin-cli and keycloak-client-registration-cli have "high" vulnerabilities.
How to Reproduce?
The snakeyaml version of 1.26 being used is known to be vulnerable.
Anything else?
No response
The text was updated successfully, but these errors were encountered: