search

DiUS / java-faker

Brings the popular ruby faker gem to Java
http://dius.github.io/java-faker
Other
4.75k stars 847 forks source link

CVE-2017-18640 - High Severity Vulnerability #470

Open mrspaceman opened 4 years ago

mrspaceman commented 4 years ago

CVE-2017-18640 - High Severity Vulnerability Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /tmp/ws-scm/datahelix/core/build.gradle

Path to vulnerable library: /tmp/ws-ua/downloadResource_c5526757-2afd-4961-9fb2-8311b0585dfe/20200131152402/snakeyaml-1.23.jar,/tmp/ws-ua/downloadResource_c5526757-2afd-4961-9fb2-8311b0585dfe/20200131152402/snakeyaml-1.23.jar

Dependency Hierarchy:

javafaker-1.0.1.jar (Root Library)
    ❌ snakeyaml-1.23.jar (Vulnerable Library)

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
    Attack Vector: Network
    Attack Complexity: Low
    Privileges Required: None
    User Interaction: None
    Scope: Unchanged
Impact Metrics:
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: High

For more information on CVSS3 Scores, click here.

RockyMM commented 4 years ago

New version of snakeyaml is released which mitigates the CVE, thanks to the community.

I can provide a patch for pom.xml with updated dependency

tjohnson-scottlogic commented 4 years ago

Hi @codingricky, is it possible to create a build 1.0.3? We're using java-faker on the datahelix project and would love a build that includes this fix :)

sambernet commented 4 years ago

Hi @codingricky, is it possible to create a build 1.0.3? We're using java-faker on the datahelix project and would love a build that includes this fix :)

We are waiting for a release because we are also suffering from the problem fixed in #457 (merged July 6) - so a release would be highly appreciated here, too 😃

raman-nbg commented 4 years ago

I applied a workaround until a new version is released. Just exclude the outdated dependency and include it in its newer version:

        <dependency>
            <groupId>com.github.javafaker</groupId>
            <artifactId>javafaker</artifactId>
            <version>1.0.2</version>
            <exclusions>
                <exclusion>
                    <groupId>org.yaml</groupId>
                    <artifactId>snakeyaml</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>1.26</version>
        </dependency>
RockyMM commented 3 years ago

Hey @codingricky

Do you have a timeline for 1.0.3 release?

Thanks!

astubbs commented 2 years ago

Seems @codingricky is MIA. Is there anyone else that can do a release? or is this dead in the water?

astubbs commented 2 years ago

FYI https://github.com/DiUS/java-faker/issues/700 1.0.3 release

bodiam commented 2 years ago

Hi @astubbs , it seems a bit quiet for the last 2 years, but even if they made a release, javafaker is quite buggy.

I made a fork of this library (https://www.datafaker.net) which does get regular updates, and which has almost all prs from this repo applied. My current release cadence is one release per month, and I welcome contributions.

(Btw, Datafaker also has all CVEs fixed, and removes almost all of the external dependencies)

marcinkunert commented 2 years ago

@bodiam https://datafaker.net/ doesn't work, but https://www.datafaker.net/ does. I suggest to setup a redirect from one to another.

bodiam commented 2 years ago

@marcinkunert ah, thanks for letting me know, that's sloppy. I'll fix that soon, thanks!