Alastair created GEODE-10431:
--------------------------------
Summary: SnakeYAML 1.3.0 has known security vulnerabilities (5)
Key: GEODE-10431
URL: https://issues.apache.org/jira/browse/GEODE-10431
Project: Geode
Issue Type: Bug
Affects Versions: 1.15.0
Reporter: Alastair
Five (one High, four Medium) vulnerabilities are being reported in SnakeYAML
which is part of Geode 1.15.0. The issues are fixed in SnakeYAML 1.33.
|HIGH|CVE-2022-25857 (BDSA-2022-2579)
[CVE-2022-25857
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2022-25857]|SnakeYAML
Vulnerable to Denial-of-Service (DoS) via Lack of Nested Depth Limitation for
Collections|Fixed in 1.33|
|MEDIUM|CVE-2022-38752 (BDSA-2022-2590)
[CVE-2022-38752
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2022-38752]|SnakeYAML
Vulnerable to Denial-of-Service (DoS) via Stack Overflow Caused by 'ArrayList'
Recursion|Fixed in 1.33|
|MEDIUM|CVE-2022-38751 (BDSA-2022-2587)
[CVE-2022-38751
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2022-38751]|SnakeYAML
Vulnerable to Denial-of-Service (DoS) via Regular Expression Mishandling|Fixed
in 1.33|
|MEDIUM|CVE-2022-38749 (BDSA-2022-2577)
[CVE-2022-38749
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2022-38749]|SnakeYAML
Vulnerable to Denial-of-Service (DoS) via Stack-Based Buffer Overflow in
Parsing of Untrusted YAML Files|Fixed in 1.33|
|MEDIUM|CVE-2022-38750 (BDSA-2022-2578)
[CVE-2022-38750
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2022-38750]|SnakeYAML
Vulnerable to Denial-of-Service (DoS) via Stack-Based Buffer Overflow in
'BaseConstructor.java'|Fixed in 1.33|
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
