Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-18640 #26

Closed
RickMoynihan opened this issue Jan 5, 2022 · 0 comments
Closed

CVE-2017-18640 #26

RickMoynihan opened this issue Jan 5, 2022 · 0 comments

Comments

@RickMoynihan
Copy link
Contributor

RickMoynihan commented Jan 5, 2022
edited
Loading

Just a note that the upstream library io.forward/yaml and consequently this library which depends on it, are flagged by nvd as being potentially vulnerable to the above CVE-2017-18640.

The library's master branch bumps its snakeyaml dependency to a more recent version which fixes the issue, however no release has been coined upstream.

I have opened an issue upstream here asking if they can create a new non-snapshot release: owainlewis/yaml#40

Though NOTE also the latest commit on their master branch also changes their maven group name.

In the mean time I suspect it is possible to include the snakeyaml dep here at a more recent version.
RickMoynihan added a commit to RickMoynihan/cybermonday that referenced this issue Jan 5, 2022
@RickMoynihan
Fixes kiranshila#26 CVE-2017-18640
d266a36
RickMoynihan added a commit to RickMoynihan/cybermonday that referenced this issue Jan 5, 2022
@RickMoynihan
Fixes kiranshila#26 CVE-2017-18640
166d8f4
kiranshila added a commit that referenced this issue Jan 10, 2022
@kiranshila
Merge pull request #27 from RickMoynihan/master
7fde68a 
Fixes #26 CVE-2017-18640
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RickMoynihan