- changed status to open
Introduce black list for classloading
To solve:
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
https://bitbucket.org/snakeyaml/snakeyaml/issues/563/cve-2022-1471-snakeyamls-constructor-class
https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/
Comments (10)
-
reporter -
reporter - changed title to Introduce black list for classloading
Include only the
ScriptEngineManager
and ClassLoader -
reporter - edited description
-
reporter - edited description
-
reporter - changed status to wontfix
SnakeYAML should not compensate issues in other libraries
-
Hi Andrey, Can you please share some details, what is the issue and in which library. So it could be tracked accordingly with them. Currently CVE points here and there is no detail.
Thank you.
-
reporter @Anton Pryamostanov I did not quite catch you.
This particular issue was an attempt to introduce a blacklist. It was rejected.Which CVE points here ?
-
Hi Andrey, understood. Thank you for clarifying. It was same CVE (CVE-2022-1471), I will use solution from #561 (Snake YAML 2.0).
-
-
reporter When you use Spring there is no issue and the report is a false positive. Either ignore it or file bug in checkmars
- Log in to comment