Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency org.yaml:snakeyaml, leading to CVE problem #1447

Open
CVEDetect opened this issue Apr 14, 2023 · 0 comments · May be fixed by #1449
Open

Dependency org.yaml:snakeyaml, leading to CVE problem #1447

CVEDetect opened this issue Apr 14, 2023 · 0 comments · May be fixed by #1449

Comments

@CVEDetect
Copy link

Hi, In /common,there is a dependency org.yaml:snakeyaml:1.24 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

org.wso2.testgrid.common.util.FileUtil: readYamlFile(java.lang.String,java.lang.Class)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.Yaml: loadAs(java.io.InputStream,java.lang.Class)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.Yaml: loadFromReader(org.yaml.snakeyaml.reader.StreamReader,java.lang.Class)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getSingleData(java.lang.Class)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.composer.Composer: getSingleNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/glassfish/hk2/hk2-utils/2.4.0-b34/hk2-utils-2.4.0-b34.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.wso2.testgrid:org.wso2.testgrid.common:jar:1.0.8-SNAPSHOT
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] +- org.yaml:snakeyaml:jar:1.24:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.8.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] +- org.jacoco:org.jacoco.agent:jar:runtime:0.7.9:compile
[INFO] +- com.google.code.findbugs:annotations:jar:3.0.1:provided
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:provided
[INFO] |  \- com.google.code.findbugs:jsr305:jar:3.0.1:provided
[INFO] +- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] +- commons-io:commons-io:jar:2.6:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] +- org.influxdb:influxdb-java:jar:2.11:compile
[INFO] |  +- com.squareup.retrofit2:retrofit:jar:2.4.0:compile
[INFO] |  +- com.squareup.retrofit2:converter-moshi:jar:2.4.0:compile
[INFO] |  |  \- com.squareup.moshi:moshi:jar:1.5.0:compile
[INFO] |  +- com.squareup.okhttp3:okhttp:jar:3.10.0:compile
[INFO] |  |  \- com.squareup.okio:okio:jar:1.14.0:compile
[INFO] |  \- com.squareup.okhttp3:logging-interceptor:jar:3.10.0:compile
[INFO] +- org.apache.httpcomponents.client5:httpclient5-fluent:jar:5.0-alpha3:compile
[INFO] |  +- org.apache.httpcomponents.client5:httpclient5:jar:5.0-alpha3:compile
[INFO] |  |  +- org.apache.httpcomponents.core5:httpcore5:jar:5.0-beta1:compile
[INFO] |  |  \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.0-beta1:compile
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.11.0:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- org.json:json:jar:20180130:compile
[INFO] +- commons-dbutils:commons-dbutils:jar:1.6:compile
[INFO] +- org.glassfish.jersey.core:jersey-server:jar:2.22.2:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.22.2:compile
[INFO] |  |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.2:compile
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.22.2:compile
[INFO] |  +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] |  +- org.glassfish.jersey.media:jersey-media-jaxb:jar:2.22.2:compile
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b34:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-utils:jar:2.4.0-b34:compile
[INFO] |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b34:compile
[INFO] |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b34:compile
[INFO] |  +- org.glassfish.hk2:hk2-locator:jar:2.4.0-b34:compile
[INFO] |  |  \- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] |  \- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] +- org.glassfish.jersey.media:jersey-media-json-jackson:jar:2.22.2:compile
[INFO] |  +- org.glassfish.jersey.ext:jersey-entity-filtering:jar:2.22.2:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.5.4:compile
[INFO] |  \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.5.4:compile
[INFO] |     \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.5.4:compile
[INFO] +- com.amazonaws:aws-java-sdk:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-mobile:jar:1.11.219:compile
[INFO] |  |  \- com.amazonaws:jmespath-java:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudhsmv2:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-glue:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-migrationhub:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-dax:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-greengrass:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-athena:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-marketplaceentitlement:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-codestar:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-lexmodelbuilding:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-resourcegroupstaggingapi:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-pinpoint:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-xray:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-opsworkscm:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-support:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-simpledb:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-servicecatalog:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-servermigration:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-simpleworkflow:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-storagegateway:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-route53:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-s3:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-importexport:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-sts:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-sqs:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-rds:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-redshift:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elasticbeanstalk:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-glacier:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-iam:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-datapipeline:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elasticloadbalancing:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elasticloadbalancingv2:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-emr:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elasticache:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elastictranscoder:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-ec2:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-dynamodb:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-sns:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-budgets:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudtrail:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudwatch:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-logs:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-events:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cognitoidentity:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cognitosync:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-directconnect:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudformation:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudfront:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-clouddirectory:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-kinesis:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-opsworks:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-ses:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-autoscaling:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudsearch:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudwatchmetrics:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-codedeploy:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-codepipeline:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-kms:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-config:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-lambda:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-ecs:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-ecr:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cloudhsm:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-ssm:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-workspaces:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-machinelearning:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-directory:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-efs:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-codecommit:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-devicefarm:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-elasticsearch:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-waf:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-marketplacecommerceanalytics:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-inspector:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-iot:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-api-gateway:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-acm:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-gamelift:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-dms:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-marketplacemeteringservice:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-cognitoidp:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-discovery:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-applicationautoscaling:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-snowball:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-rekognition:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-polly:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-lightsail:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-stepfunctions:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-health:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-costandusagereport:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-codebuild:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-appstream:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-shield:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-batch:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-lex:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-mechanicalturkrequester:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-organizations:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-workdocs:jar:1.11.219:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-core:jar:1.11.219:compile
[INFO] |  |  +- software.amazon.ion:ion-java:jar:1.0.2:compile
[INFO] |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:compile
[INFO] |  +- com.amazonaws:aws-java-sdk-models:jar:1.11.219:compile
[INFO] |  \- com.amazonaws:aws-java-sdk-swf-libraries:jar:1.11.22:compile
[INFO] +- org.mockito:mockito-all:jar:1.10.19:test
[INFO] +- org.powermock:powermock-module-testng:jar:1.7.4:test
[INFO] |  +- org.powermock:powermock-core:jar:1.7.4:test
[INFO] |  |  \- org.powermock:powermock-reflect:jar:1.7.4:test
[INFO] |  +- org.powermock:powermock-module-testng-common:jar:1.7.4:test
[INFO] |  \- org.testng:testng:jar:6.11:test
[INFO] |     \- com.beust:jcommander:jar:1.64:test
[INFO] +- org.powermock:powermock-api-mockito:jar:1.7.4:test
[INFO] |  +- org.powermock:powermock-api-mockito-common:jar:1.7.4:test
[INFO] |  |  \- org.powermock:powermock-api-support:jar:1.7.4:test
[INFO] |  \- org.mockito:mockito-core:jar:1.10.19:test
[INFO] |     +- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] |     \- org.objenesis:objenesis:jar:2.1:test
[INFO] +- org.elasticsearch:elasticsearch:jar:6.4.1:compile
[INFO] |  +- org.elasticsearch:elasticsearch-core:jar:6.4.1:compile
[INFO] |  +- org.elasticsearch:elasticsearch-secure-sm:jar:6.4.1:compile
[INFO] |  +- org.elasticsearch:elasticsearch-x-content:jar:6.4.1:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile
[INFO] |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile
[INFO] |  +- org.apache.lucene:lucene-core:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-analyzers-common:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-backward-codecs:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-grouping:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-highlighter:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-join:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-memory:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-misc:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-queries:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-queryparser:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-sandbox:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial-extras:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial3d:jar:7.4.0:compile
[INFO] |  +- org.apache.lucene:lucene-suggest:jar:7.4.0:compile
[INFO] |  +- org.elasticsearch:elasticsearch-cli:jar:6.4.1:compile
[INFO] |  |  \- net.sf.jopt-simple:jopt-simple:jar:5.0.2:compile
[INFO] |  +- com.carrotsearch:hppc:jar:0.7.1:compile
[INFO] |  +- joda-time:joda-time:jar:2.10:compile
[INFO] |  +- com.tdunning:t-digest:jar:3.2:compile
[INFO] |  +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |  \- org.elasticsearch:jna:jar:4.5.1:compile
[INFO] \- org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.4.2:compile
[INFO]    +- org.elasticsearch.client:elasticsearch-rest-client:jar:6.4.2:compile
[INFO]    |  +- org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
[INFO]    |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO]    +- org.elasticsearch.plugin:parent-join-client:jar:6.4.2:compile
[INFO]    +- org.elasticsearch.plugin:aggs-matrix-stats-client:jar:6.4.2:compile
[INFO]    +- org.elasticsearch.plugin:rank-eval-client:jar:6.4.2:compile
[INFO]    \- org.elasticsearch.plugin:lang-mustache-client:jar:6.4.2:compile
[INFO]       \- com.github.spullara.mustache.java:compiler:jar:0.9.5:compile

Suggested solutions:

Update dependency version

Thank you very much.

@CVEDetect CVEDetect linked a pull request Apr 14, 2023 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant