Upgrade to Snakeyaml 1.26 #20366
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the suggestion, but we do not upgrade to new minor versions of a dependency in maintenance releases of Spring Boot. We'll pick up SnakeYAML 1.26 in Spring Boot 2.3 in due course as part of our semi-automated dependency upgrade process. |
wilkinsona
added
status: declined
|
Hi @wilkinsona . SnakeYaml 1.25 (the version currently included in Spring Boot 2.2.x) is affected by DoS vulnerability, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640 I'm not familiar enough with Spring Boot to know if this library is used to parse untrusted input, so I'm not sure if Spring Boot 2.2.x is affected by this vulnerability. The fix was included in SnakeYaml 1.26 according to the release notes: https://bitbucket.org/asomov/snakeyaml/wiki/Changes In case Spring Boot 2.2.x is indeed affected by this problem, what would be the correct process to have it fixed without having to wait for Spring Boot 2.3? (#20467). Thank you |
|
Hi @dberrueta-atlassian , Spring Boot uses SnakeYaml to parse the application configuration - so by default, no untrusted input is fed to the parser. If applications chose to use the SnakeYaml library to parse untrusted sources, they can always override the version provided by the Spring Boot dependency management as shown in our reference documentation. In this case, the version property is <properties>
<snakeyaml.version>1.26<snakeyaml.version>
</properties>Gradle users like this: ext['snakeyaml.version'] = '1.26' |
|
Thank you for your answer, @bclozel . It's great to hear that Spring Boot only uses SnakeYaml with trusted inputs. That is exactly the information I needed. |
This is required in both 2.1.x and 2.2.x
The text was updated successfully, but these errors were encountered: