CVE-2022-1471- SnakeYaml remote code execution by sending malicious YAML content

Closes #25261 Signed-off-by: Douglas Palmer dpalmer@redhat.com
2023-07-06 15:56:02 -07:00 · 2023-07-06 15:56:02 -07:00 · ee5593a88f
commit ee5593a88f
parent 21bdea3b71
1 changed files with 12 additions and 0 deletions
--- a/pom.xml
+++ b/pom.xml
@ -134,6 +134,7 @@
        <xmlsec.version>2.2.6</xmlsec.version>
        <nashorn.version>15.4</nashorn.version>
        <ua-parser.version>1.5.4</ua-parser.version>
+        <org.yaml.snakeyaml.version>2.0</org.yaml.snakeyaml.version>
        <picketbox.version>5.0.3.Final</picketbox.version>
        <xstream.version>1.4.20</xstream.version>
        <org.snakeyaml.snakeyaml-engine.version>2.6</org.snakeyaml.snakeyaml-engine.version>
@ -430,6 +431,17 @@
                <groupId>com.github.ua-parser</groupId>
                <artifactId>uap-java</artifactId>
                <version>${ua-parser.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.yaml</groupId>
+                        <artifactId>snakeyaml</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>${org.yaml.snakeyaml.version}</version>
            </dependency>

            <!--JAKARTA-->