Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1372

Update snakeyaml to 1.31 due to 3rd party vulnerability CVE-2022-25857

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0
    • None
    • None
    • CVE-2022-25857

    Description

      Current Situation

      JS7 JOC uses snakeyaml 1.30.

      A vulnerability affect this version.

      We rate the vulnerability as LOW as our software uses snakeyaml only for anonymization of logfiles and does not use snakeyaml in ways executable code could be maliciously injected. Any depth of rules not matching our implementations expectation will be ignored and will not result in DoS (Denial of Service).

      See CVE-2022-25857

      Desired Behaviour

      JS7 JOC should use the latest version 1.31 of snakeyaml.

      Attachments

        Issue Links

          Activity

            People

              sp Santiago Aucejo Petzoldt
              sp Santiago Aucejo Petzoldt
              Oliver Haufe Oliver Haufe
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: