You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar
Dependency Hierarchy:
framework-3.0.0-SNAPSHOT.jar (Root Library)
opensearch-3.0.0-SNAPSHOT.jar
opensearch-x-content-3.0.0-SNAPSHOT.jar
❌ snakeyaml-1.33.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
mend-for-github-combot
changed the title
framework-3.0.0-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 9.8)
framework-3.0.0-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 9.8) - autoclosed
Jan 10, 2023
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
framework-3.0.0-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 9.8) - autoclosed
framework-3.0.0-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 9.8)
Feb 28, 2023
The snakeyaml dependency is coming from OpenSearch core and this has been addressed in this PR by bumping the version to 2.0. So, closing this issue. opensearch-project/OpenSearch#6511
Vulnerable Library - framework-3.0.0-SNAPSHOT.jar
Path to dependency file: /libs/h3/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-1471
Vulnerable Library - snakeyaml-1.33.jar
YAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /libs/h3/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
CVSS 3 Score Details (9.8)
Base Score Metrics:
The text was updated successfully, but these errors were encountered: