Dependency org.yaml:snakeyaml, leading to CVE problem

Question

Dependency org.yaml:snakeyaml, leading to CVE problem

Closed this issue 2 years ago · 1 comments

Hi, In /，there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.jeroenreijn.examples.view.KotlinxHtmlIndexView$Companion: presentationsTemplate(java.lang.Iterable)Ljava.lang.String; /.m2/repository/org/eclipse/jdt/ecj/3.18.0/ecj-3.18.0.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/org/eclipse/jdt/ecj/3.18.0/ecj-3.18.0.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/org/eclipse/jdt/ecj/3.18.0/ecj-3.18.0.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/eclipse/jdt/ecj/3.18.0/ecj-3.18.0.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.jeroenreijn:spring-comparing-template-engines:war:0.9.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.5:compile
[INFO] |  \- org.springframework.boot:spring-boot:jar:2.7.5:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.5:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.5:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.7.5:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.4:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.4:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.4:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.23:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.23:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.3.23:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.23:compile
[INFO] +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.5:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.68:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.68:compile
[INFO] |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.68:compile
[INFO] +- org.springframework:spring-context-support:jar:5.3.23:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.3.23:compile
[INFO] |  +- org.springframework:spring-context:jar:5.3.23:compile
[INFO] |  \- org.springframework:spring-core:jar:5.3.23:compile
[INFO] |     \- org.springframework:spring-jcl:jar:5.3.23:compile
[INFO] +- org.webjars:bootstrap:jar:5.2.3:compile
[INFO] +- org.apache.tomcat.embed:tomcat-embed-jasper:jar:9.0.68:provided
[INFO] |  \- org.eclipse.jdt:ecj:jar:3.18.0:provided
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.7.5:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.11.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile
[INFO] |  |     \- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] +- org.ow2.asm:asm-xml:jar:6.2.1:compile
[INFO] |  +- org.ow2.asm:asm:jar:6.2.1:compile
[INFO] |  \- org.ow2.asm:asm-util:jar:6.2.1:compile
[INFO] |     +- org.ow2.asm:asm-tree:jar:6.2.1:compile
[INFO] |     \- org.ow2.asm:asm-analysis:jar:6.2.1:compile
[INFO] +- com.github.jknack:handlebars-springmvc:jar:4.3.1:compile
[INFO] |  \- com.github.jknack:handlebars:jar:4.3.1:compile
[INFO] +- com.x5dev:chunk-templates:jar:3.6.2:compile
[INFO] +- com.x5dev:chunk-springmvc:jar:0.1.0:compile
[INFO] +- org.freemarker:freemarker:jar:2.3.28:compile
[INFO] +- com.github.httl:httl-springmvc:jar:1.0.11:compile
[INFO] |  \- com.github.httl:httl:jar:1.0.11:compile
[INFO] +- org.apache.velocity:velocity-engine-core:jar:2.0:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- org.apache.velocity.tools:velocity-tools-view:jar:3.0:compile
[INFO] |  +- org.apache.velocity.tools:velocity-tools-generic:jar:3.0:compile
[INFO] |  |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |  \- com.github.cliftonlabs:json-simple:jar:3.0.2:compile
[INFO] |  \- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] |     +- cglib:cglib:jar:2.2.2:compile
[INFO] |     |  \- asm:asm:jar:3.3.1:compile
[INFO] |     \- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] +- com.alibaba.boot:velocity-spring-boot-starter:jar:1.0.4.RELEASE:compile
[INFO] |  \- com.alibaba.boot:velocity-spring-boot-autoconfigure:jar:1.0.4.RELEASE:compile
[INFO] |     +- com.alibaba.spring:spring-context-velocity:jar:1.4.3.18.RELEASE:compile
[INFO] |     +- com.alibaba.spring:spring-webmvc-velocity:jar:1.4.3.18.RELEASE:compile
[INFO] |     +- com.alibaba.boot:spring-boot-web-support:jar:1.0.0.RELEASE:compile
[INFO] |     |  \- com.alibaba.spring:spring-webmvc-support:jar:1.0.0.RELEASE:compile
[INFO] |     |     \- com.alibaba.spring:spring-context-support:jar:1.0.0.RELEASE:compile
[INFO] |     +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] |     |  \- commons-lang:commons-lang:jar:2.4:compile
[INFO] |     \- org.apache.velocity:velocity-tools:jar:2.0:compile
[INFO] |        +- commons-digester:commons-digester:jar:1.8:compile
[INFO] |        +- commons-chain:commons-chain:jar:1.1:compile
[INFO] |        +- commons-validator:commons-validator:jar:1.3.1:compile
[INFO] |        +- dom4j:dom4j:jar:1.1:compile
[INFO] |        +- oro:oro:jar:2.0.8:compile
[INFO] |        \- sslext:sslext:jar:1.2-0:compile
[INFO] +- de.neuland-bfi:spring-jade4j:jar:1.3.1:compile
[INFO] |  +- de.neuland-bfi:jade4j:jar:1.3.1:compile
[INFO] |  |  +- org.apache.commons:commons-jexl:jar:2.1.1:compile
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  +- com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:jar:1.4.2:compile
[INFO] |  |  \- com.vladsch.flexmark:flexmark:jar:0.42.14:compile
[INFO] |  |     \- com.vladsch.flexmark:flexmark-util:jar:0.42.14:compile
[INFO] |  \- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.springframework.boot:spring-boot-starter-mustache:jar:2.7.5:compile
[INFO] |  \- com.samskivert:jmustache:jar:1.15:compile
[INFO] +- io.pebbletemplates:pebble:jar:3.1.6:compile
[INFO] |  \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] +- io.pebbletemplates:pebble-spring-boot-starter:jar:3.1.6:compile
[INFO] |  \- io.pebbletemplates:pebble-spring5:jar:3.1.6:compile
[INFO] +- org.scalatra.scalate:scalate-core_2.13:jar:1.9.8:compile
[INFO] |  +- org.scala-lang:scala-compiler:jar:2.13.8:compile
[INFO] |  |  +- org.scala-lang:scala-reflect:jar:2.13.8:compile
[INFO] |  |  +- org.jline:jline:jar:3.21.0:compile
[INFO] |  |  \- net.java.dev.jna:jna:jar:5.9.0:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.13.8:compile
[INFO] |  \- org.scalatra.scalate:scalate-util_2.13:jar:1.9.8:compile
[INFO] |     +- org.scala-lang.modules:scala-parser-combinators_2.13:jar:2.1.1:compile
[INFO] |     \- org.scala-lang.modules:scala-xml_2.13:jar:2.0.1:compile
[INFO] +- org.scalatra.scalate:scalate-spring-mvc_2.13:jar:1.9.8:compile
[INFO] +- com.github.xmlet:htmlflow:jar:4.0:compile
[INFO] |  +- org.slf4j:slf4j-simple:jar:1.7.36:compile
[INFO] |  +- com.github.xmlet:htmlApiFaster:jar:1.0.12:compile
[INFO] |  |  +- com.github.xmlet:xsdAsmFaster:jar:1.0.10:compile
[INFO] |  |  |  +- org.ow2.asm:asm-parent:pom:6.0:compile
[INFO] |  |  |  +- org.ow2.asm:asm-commons:jar:6.0:compile
[INFO] |  |  |  \- com.github.xmlet:xsdParser:jar:1.0.13:compile
[INFO] |  |  |     \- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  +- org.jboss.windup.decompiler:decompiler-fernflower:jar:4.0.0.Final:compile
[INFO] |  |  |  +- org.jboss.windup.decompiler.fernflower:windup-fernflower:jar:1.0.0.20171018:compile
[INFO] |  |  |  +- org.jboss.windup.decompiler:decompiler-api:jar:forge-addon:4.0.0.Final:compile
[INFO] |  |  |  \- org.jboss.windup.utils:windup-utils:jar:forge-addon:4.0.0.Final:compile
[INFO] |  |  |     +- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] |  |  |     \- com.google.guava:guava:jar:18.0:compile
[INFO] |  |  \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] |  \- org.jsoup:jsoup:jar:1.15.3:compile
[INFO] +- org.trimou:trimou-core:jar:2.5.1.Final:compile
[INFO] +- com.fizzed:rocker-runtime:jar:1.3.0:compile
[INFO] +- com.github.enpassant:ickenham-spring-mvc_2.13:jar:1.5.0:compile
[INFO] |  \- com.github.enpassant:ickenham_2.13:jar:1.5.0:compile
[INFO] +- org.rythmengine:rythm-engine:jar:1.4.1:compile
[INFO] |  +- org.eclipse.jdt.core.compiler:ecj:jar:4.6.1:compile
[INFO] |  +- com.stevesoft.pat:pat:jar:1.5.3:compile
[INFO] |  +- com.alibaba:fastjson:jar:1.2.75:compile
[INFO] |  +- org.mvel:mvel2:jar:2.4.12.Final:compile
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.18:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.18:compile
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:runtime
[INFO] |  +- org.osgl:osgl-version:jar:2.0.0-BETA-4-JAVA7:compile
[INFO] |  \- org.osgl:osgl-ut:jar:2.0.0-BETA-4-JAVA7:compile
[INFO] |     \- org.hamcrest:hamcrest-junit:jar:2.0.0.0:compile
[INFO] |        \- org.hamcrest:java-hamcrest:jar:2.0.0.0:compile
[INFO] +- org.rythmengine:spring-rythm:jar:1.2.2:compile
[INFO] |  +- org.osgl:osgl-mvc:jar:1.5.1:compile
[INFO] |  |  +- org.osgl:osgl-tool:jar:1.7.0:compile
[INFO] |  |  \- org.osgl:osgl-http:jar:1.4.0:compile
[INFO] |  |     \- org.osgl:osgl-cache:jar:1.1.0:compile
[INFO] |  +- org.osgl:osgl-logging:jar:1.1.0:compile
[INFO] |  +- org.osgl:osgl-storage:jar:1.5.0:compile
[INFO] |  \- junit:junit:jar:4.13.2:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:2.2:compile
[INFO] +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.7.20:compile
[INFO] |  +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.7.20:compile
[INFO] |  \- org.jetbrains:annotations:jar:13.0:compile
[INFO] +- org.jetbrains.kotlinx:kotlinx-html-jvm:jar:0.8.0:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.7.20:runtime
[INFO] |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.7.20:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-groovy-templates:jar:2.7.5:compile
[INFO] |  \- org.codehaus.groovy:groovy-templates:jar:3.0.13:compile
[INFO] |     +- org.codehaus.groovy:groovy:jar:3.0.13:compile
[INFO] |     \- org.codehaus.groovy:groovy-xml:jar:3.0.13:runtime
[INFO] +- nl.big-o:liqp:jar:0.8.5.1:compile
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.5:test
[INFO]    +- org.springframework.boot:spring-boot-test:jar:2.7.5:test
[INFO]    +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.5:test
[INFO]    +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO]    |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO]    |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO]    +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO]    |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO]    +- org.assertj:assertj-core:jar:3.22.0:test
[INFO]    +- org.hamcrest:hamcrest:jar:2.2:test
[INFO]    +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO]    |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO]    |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO]    |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO]    |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO]    |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO]    +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO]    +- org.skyscreamer:jsonassert:jar:1.5.1:test
[INFO]    |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO]    +- org.springframework:spring-test:jar:5.3.23:test
[INFO]    \- org.xmlunit:xmlunit-core:jar:2.9.0:test

Suggested solutions:

Update dependency version

Thank you very much.

Answer 1 · 2023-03-29T06:39:08.000Z

Will be solved in Spring 3.