You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2022/09/12 07:41:00 UTC

[jira] [Commented] (TOMEE-4041) 4 CVE Vulnerabilities in snakeyaml-1.30.jar

    [ https://issues.apache.org/jira/browse/TOMEE-4041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602973#comment-17602973 ] 

Richard Zowalla commented on TOMEE-4041:
----------------------------------------

We are on snakeyaml 1.31 now. That should include the fixes for CVE-2022-25857, CVE-2022-38751, and CVE-2022-38750. 

CVE-2022-38752 will be fixed with the release of snakeyaml 1.32 (see [related Jira |https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081]).



> 4 CVE Vulnerabilities in snakeyaml-1.30.jar 
> --------------------------------------------
>
>                 Key: TOMEE-4041
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4041
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 9.0.0-M8, 8.0.12
>            Reporter: Yugandher reddy vonteddu
>            Priority: Major
>              Labels: CVE
>
> There are 4 new CVE variabilities in snakeyaml-1.30.jar vulnerable to Denial of Service attacks (DOS)
> [CVE-2022-25857|https://nvd.nist.gov/vuln/detail/CVE-2022-25857]
> [CVE-2022-38749|https://nvd.nist.gov/vuln/detail/CVE-2022-38749]
> [CVE-2022-38750|https://nvd.nist.gov/vuln/detail/CVE-2022-38750]
> [CVE-2022-38751|https://nvd.nist.gov/vuln/detail/CVE-2022-38751]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)