Skip to content

MONIT-34093 - Mitigation for CVE-2022-1471 #838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

MONIT-34093 - Mitigation for CVE-2022-1471 #838

wants to merge 1 commit into from

Conversation

@ajackson
Copy link
Contributor

@ajackson ajackson commented Apr 4, 2023

  • explicitly add dependency on snakeyaml since we import it directly in the code
  • use SafeConstructor form of the Yaml object construction to mitigate CVE-2022-1471

@ajackson
MONIT-34093 - Mitigation for CVE-2022-1471
ff48c06 
- explicitly add dependency on snakeyaml since we import it directly in the code
- use SafeConstructor form of the Yaml object construction to mitigate CVE-2022-1471
@ajackson
Copy link
Contributor Author

ajackson commented Apr 4, 2023
edited
Loading

Note the Dependency Review will fail due to explicit inclusion of snakeyaml 1.33 but the code mitigation using the SafeConstructor is applied.
https://wiki.folio.org/display/SEC/SnakeYaml+SafeConstructor

@ajackson
Copy link
Contributor Author

ajackson commented Apr 4, 2023

A better fix using snakeyaml 2.0 #839

@ajackson ajackson closed this Apr 4, 2023
@ajackson ajackson deleted the jacksonal/MONIT-34093 branch April 4, 2023 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@locke-chappel locke-chappel Awaiting requested review from locke-chappel

@laullon laullon Awaiting requested review from laullon

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ajackson