Details
-
Dependency upgrade
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
8.0.13
-
None
Description
The security have reported an issue with one of the library ( SnakeYAML ) which is part of the TomEE distribution.
with TomEE 8.0.13 - we have this library updated to 1.30.. though it is never mentioned about the affected versions of this jar but a following information is provided -
The maintainers of SnakeYAML have stated in an advisory that SnakeYAML is not designed to be used to process YAML files from untrusted sources.
We wanted to check if TomEE is vulnerable to this CVE since there is nothing to update from SnakeYAML perspective but more of a configuration / usage of its libraries in respective used projects (here TomEE)
Please help if there is already discussion around this and would be happy to coordinate.
---------------
Summary: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Solution: N/A
Workaround: N/A