Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CVE-2022-25857 - Upgrade to SnakeYAML 1.31

See original GitHub issue

CVE-2022-25857 has been reported against the SnakeYaml project. This issue upgrades SnakeYaml to 1.31 for Spring Boot 3.0.0.

This CVE can make applications vulnerable to DoS attacks, given the Yaml parser is used to parse untrusted input. Most Spring Boot applications use this library to parse their own application.yml configuration file, which is considered as safe. If an attacker could change application.yml to exploit this vulnerability, they could cause much more damage than a DoS by just changing the properties, or by reading secrets.

The Spring Boot policy for upgrading third party dependencies in our dependency management prevents us from upgrading this version in maintenance branches, 2.6.x and 2.7.x. Doing so would expose developers to possible behavior or API changes that would disrupt their application. We’ve discussed the possibility of making an exception to this policy, but this case happened in the past already with SnakeYaml 1.26 (see #20366); so far we don’t see a reason to do so and we expect libraries maintainers to release patch versions for CVE fixes.

If your 2.6.x or 2.7.x application is using SnakeYaml to decode untrusted Yaml, for example from a web controller, you should override the SnakeYAML version property (snakeyaml.version) as soon as possible in your Gradle or Maven build.

Issue Analytics

State:
Created a year ago
Reactions:4
Comments:34 (21 by maintainers)

Top GitHub Comments

3reactions

asomovcommented, Sep 23, 2022

Dear @robert-gdv, unfortunately, you re-distribute the information which is partially confusing, partially just wrong. I would like to clarify.

Fuzzy Scanning is currently NOT revealing a lot of issues with snakeyaml. There are a few which are easily solved with proper configuration of the parser. There is probably one which may still valid. If you think you are correct, please provide the list and we can go one-by-one
Despite my call to show a use case when the parser has to take untrusted input without possibility for very basic sanitization, NO SINGLE real use case was provided. Please help me to find one
The low quality tooling (like DependencyChecker) has hundreds (!!!) of issues, many of which are about false positives. They do not fix them. Why should we bother about the quality if they do not ???
The low quality tooling does not check the most important part - the context. So they blindly complain about anything. Noise.
There is nothing to fix in SnakeYAML. Otherwise please show what exactly.
You cannot simple “use another tool” as you say. All the parsers have to follow the specification and it requires to support data structues which can be misused by a potential attacker.
Please calify this statement “I expect some updates of snakeyaml in the near future.” - what exactly you expect ?