New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SnakeYAML 1.27 vulnerability in Jinjava 2.7.1 #1115

Open

sfc-gh-ssen opened this issue Sep 14, 2023 · 1 comment

sfc-gh-ssen commented Sep 14, 2023

Hi Team,
We recently found out that SnakeYAML library 1.27 has some vulnerabilities which are fixed in later versions-

snakeyaml 1.27 1.31 java-archive GHSA-3mc7-4q67-w48m High
snakeyaml 1.27 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium
snakeyaml 1.27 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium
snakeyaml 1.27 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium
snakeyaml 1.27 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium
snakeyaml 1.27 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium
snakeyaml 1.27 2.0 java-archive GHSA-mjmj-j48q-9wg2 High

I traced down the version of Snakeyaml for the 2.7.1 Jinjava -

Maven Repository: com.hubspot.jinjava » jinjava » 2.7.1
As per their POM https://repo1.maven.org/maven2/com/hubspot/jinjava/jinjava/2.7.0/jinjava-2.7.0.pom
Maven Repository: com.fasterxml.jackson.dataformat » jackson-dataformat-yaml » 2.12.6
-->
https://repo1.maven.org/maven2/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.12.6/jackson-dataformat-yaml-2.12.6.pom
--> SnakeYAML 1.27

Could we please prioritize this for the next release ? This will be a great relief for all the users.
Regards,
Souptik

PrimosK commented Jul 12, 2024

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment