VictorCavichioli
commented
1 month ago We are currently not using snakeyaml directly, we use jackson-databind, which has snakeyaml as a dependency, but following the thread from jackson community, they say that this vulnerability do not impacts jackson, also, the reports generated by dependency-check says nothing about it.
Jackson thread: https://github.com/FasterXML/jackson-dataformats-text/issues/213
tommystendahl
Summary
In October of 2022, a critical flaw was found in the SnakeYAML package, which allowed an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Finally, in February 2023, the SnakeYAML 2.0 release was pushed that resolves this flaw, also referred to as CVE-2022-1471.
FIx
snakeyaml dependency should be updated to version 2.0
Useful link: https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0