Dependency org.yaml:snakeyaml, leading to CVE problem

Question

Dependency org.yaml:snakeyaml, leading to CVE problem

CVEDetect opened this issue 2 years ago · 0 comments

Hi, In /congomall-test-all/congomall-yaml-test，there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

org.opengoofy.congomall.test.yaml.CustomerRepresenter: representMapping(org.yaml.snakeyaml.nodes.Tag,java.util.Map,org.yaml.snakeyaml.DumperOptions$FlowStyle)Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.opengoofy.congomall:congomall-yaml-test:jar:0.0.1-SNAPSHOT
[INFO] +- org.yaml:snakeyaml:jar:1.30:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.20:compile
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.3.12.RELEASE:test
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:2.3.12.RELEASE:test
[INFO]    |  +- org.springframework.boot:spring-boot:jar:2.3.12.RELEASE:test
[INFO]    |  |  \- org.springframework:spring-context:jar:5.2.15.RELEASE:test
[INFO]    |  |     +- org.springframework:spring-aop:jar:5.2.15.RELEASE:test
[INFO]    |  |     +- org.springframework:spring-beans:jar:5.2.15.RELEASE:test
[INFO]    |  |     \- org.springframework:spring-expression:jar:5.2.15.RELEASE:test
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.3.12.RELEASE:test
[INFO]    |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.3.12.RELEASE:test
[INFO]    |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:test
[INFO]    |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:test
[INFO]    |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:test
[INFO]    |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:test
[INFO]    |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:test
[INFO]    |  \- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:test
[INFO]    +- org.springframework.boot:spring-boot-test:jar:2.3.12.RELEASE:test
[INFO]    +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.3.12.RELEASE:test
[INFO]    +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO]    |  +- net.minidev:json-smart:jar:2.3.1:test
[INFO]    |  |  \- net.minidev:accessors-smart:jar:2.3.1:test
[INFO]    |  |     \- org.ow2.asm:asm:jar:5.0.4:test
[INFO]    |  \- org.slf4j:slf4j-api:jar:1.7.30:test
[INFO]    +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO]    |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO]    +- org.assertj:assertj-core:jar:3.16.1:test
[INFO]    +- org.hamcrest:hamcrest:jar:2.2:test
[INFO]    +- org.junit.jupiter:junit-jupiter:jar:5.6.3:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-api:jar:5.6.3:test
[INFO]    |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO]    |  |  \- org.junit.platform:junit-platform-commons:jar:1.6.3:test
[INFO]    |  +- org.junit.jupiter:junit-jupiter-params:jar:5.6.3:test
[INFO]    |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.6.3:test
[INFO]    +- org.junit.vintage:junit-vintage-engine:jar:5.6.3:test
[INFO]    |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO]    |  +- org.junit.platform:junit-platform-engine:jar:1.6.3:test
[INFO]    |  \- junit:junit:jar:4.13.2:test
[INFO]    +- org.mockito:mockito-core:jar:3.3.3:test
[INFO]    |  +- net.bytebuddy:byte-buddy:jar:1.10.22:test
[INFO]    |  +- net.bytebuddy:byte-buddy-agent:jar:1.10.22:test
[INFO]    |  \- org.objenesis:objenesis:jar:2.6:test
[INFO]    +- org.mockito:mockito-junit-jupiter:jar:3.3.3:test
[INFO]    +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO]    |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO]    +- org.springframework:spring-core:jar:5.2.15.RELEASE:test
[INFO]    |  \- org.springframework:spring-jcl:jar:5.2.15.RELEASE:test
[INFO]    +- org.springframework:spring-test:jar:5.2.15.RELEASE:test
[INFO]    \- org.xmlunit:xmlunit-core:jar:2.7.0:test

Suggested solutions:

Update dependency version

Thank you very much.