dromara/mendmix-cloud

Dependency org.yaml:snakeyaml, leading to CVE problem

CVEDetect opened this issue · 0 comments

Hi, In /mendmix-cache,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is ** [0,1.31)**

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.mendmix.cache.command.RedisBase: listDerialize(java.util.List)Ljava.util.List; .m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.mendmix:mendmix-cache:jar:1.4.2
[INFO] +- com.mendmix:mendmix-common:jar:1.4.2:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] |  +- com.esotericsoftware:kryo:jar:5.0.4:compile
[INFO] |  |  +- com.esotericsoftware:reflectasm:jar:1.11.9:compile
[INFO] |  |  +- org.objenesis:objenesis:jar:3.1:compile
[INFO] |  |  \- com.esotericsoftware:minlog:jar:1.3.1:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.29:compile
[INFO] |  \- net.sf.jmimemagic:jmimemagic:jar:0.1.5:compile
[INFO] |     +- commons-logging:commons-logging:jar:1.0.4:compile
[INFO] |     \- commons-io:commons-io:jar:2.1:compile
[INFO] +- com.mendmix:mendmix-spring:jar:1.4.2:compile
[INFO] |  +- org.springframework:spring-context:jar:5.3.18:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.18:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.18:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.3.18:compile
[INFO] |  +- org.springframework:spring-tx:jar:5.3.18:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.3.18:compile
[INFO] |  +- org.springframework:spring-expression:jar:5.3.18:compile
[INFO] |  \- org.springframework:spring-aspects:jar:5.3.18:compile
[INFO] |     \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] +- redis.clients:jedis:jar:3.3.0:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.6.2:compile
[INFO] +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.5.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- net.sf.ehcache:ehcache-core:jar:2.6.11:compile
[INFO] +- org.springframework.data:spring-data-redis:jar:2.3.4.RELEASE:compile
[INFO] |  +- org.springframework.data:spring-data-keyvalue:jar:2.3.4.RELEASE:compile
[INFO] |  |  \- org.springframework.data:spring-data-commons:jar:2.3.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-oxm:jar:5.2.9.RELEASE:compile
[INFO] |  \- org.springframework:spring-context-support:jar:5.2.9.RELEASE:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.2:test
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:test
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.2:test
[INFO] +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- junit:junit:jar:4.13.3-SNAPSHOT:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.springframework:spring-test:jar:5.3.18:test

Suggested solutions:

Update dependency version

Thank you very much.