Introduce black list for classloading

Comments (10)

1. 

   Andrey Somov reporter

   • changed status to open

   • 2022-12-08T06:14:52+00:00
2. 

   Andrey Somov reporter

   • changed title to Introduce black list for classloading

   Include only the ScriptEngineManager and ClassLoader

   • 2022-12-08T06:17:05+00:00
3. 

   Andrey Somov reporter

   • edited description

   • 2022-12-08T06:18:08+00:00
4. 

   Andrey Somov reporter

   • edited description

   • 2022-12-08T07:03:21+00:00
5. 

   Andrey Somov reporter

   • changed status to wontfix

   SnakeYAML should not compensate issues in other libraries

   • 2022-12-13T11:04:29+00:00
6. 

   Anton Pryamostanov

   Hi Andrey, Can you please share some details, what is the issue and in which library. So it could be tracked accordingly with them. Currently CVE points here and there is no detail.

   Thank you.

   • 2023-03-06T09:48:17+00:00
7. 

   Andrey Somov reporter

   @Anton Pryamostanov I did not quite catch you.
   This particular issue was an attempt to introduce a blacklist. It was rejected.

   Which CVE points here ?

   • 2023-03-06T10:13:07+00:00
8. 

   Anton Pryamostanov

   Hi Andrey, understood. Thank you for clarifying. It was same CVE (CVE-2022-1471), I will use solution from #561 (Snake YAML 2.0).

   • 2023-03-08T08:02:50+00:00
9. 

   Sijan Bhandari

   https://devhub.checkmarx.com/cve-details/CVE-2022-1471/

   ‌

   • 2023-10-23T05:08:43+00:00
10. 

    Andrey Somov reporter

    When you use Spring there is no issue and the report is a false positive. Either ignore it or file bug in checkmars

    • 2023-10-23T05:46:15+00:00
11. Log in to comment