NIST nvd entry CVE-2022-38752
Issue #548
invalid
According to this NVD entry there’s a stack-overflow based vulnerability in SnakeYAML. I haven’t checked the credibility or possible solutions to the problem yet; but since we use SnakeYAML as a dependency this raises vulnerability warnings in our CI/CD pipeline.
Comments (7)
-
-
reporter
We’re using OWASP Dependency Check Maven: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
-
- unfortunately it was proven to have too many false positives (like in this case)
- if you do not blindly open a socket and consume any trash from any untrusted user without authentication - you are safe
- similar case already reported many times in SnakeYAML (I welcome you to search before you create a new issue)
- there is a wiki with explanation
My disappointment with the low quality tooling is growing…
-
- changed status to invalid
-
reporter
Okay, thanks for your explanation. I could probably have found your explanation in the Wiki, where I haven’t searched. I searched your issues of course, but I don’t really understand why older CVEs make this one invalid.
The tool itself is not really to blame here, is it? It merely searches the CVD-db and matches described versions - if anything, then the report at NIST itself is the one that’s wrong.
Unfortunately we do not use SnakeYAML as a direct but rather as a transitive dependency so I have no control over the way data is fed into the relevant InputStreams. We will assess the risk for our software solutions and act accordingly.
-
The tool is very bad. It consumed your time, it consumed my time. We both wasted a lot of time.
You must have complete control how you feed the data. Do you mean that you allow some component to open a socket and consume any input from anywhere ? In this case SnakeYAML is the least of concern.
I think you depend on a tool which is using SnakeYAML to parse internal configuration. In this case you are safe. That is why it is false positive.
-
For future reference:
CVE-2022-38752 is known to be a false positive by DependencyCheck.
An update to the cve database has been proposed.[FP]: SnakeYAML 1.32 is no longer affected by CVE-2022-38725
https://github.com/jeremylong/DependencyCheck/issues/4839[GHSA-9w3m-gqgf-c4p9] Using snakeYAML to parse untrusted YAML files may be...
https://github.com/github/advisory-database/pull/667 - Log in to comment
Which tool do you use to get the warning ?