You should definitely restrict who can apply ACTools YAMLs as even without vulnerabilities you can do a lot of harm by granting everyone access to the underlying repository. However, updating to the latest version would still be nice. There is a draft in https://github.com/Netcentric/accesscontroltool/pull/662 which updates to SnakeYAML 2.0 (easy) and tries to leverage SafeConstructor (hard). Doing one without the other does not make any difference from a vulnerability point of view (although tools no longer report the vulnerability). @sajithgowda Maybe you want to pick it up from there and finish the work.
kwin
commented
10 months ago
You should definitely restrict who can apply ACTools YAMLs as even without vulnerabilities you can do a lot of harm by granting everyone access to the underlying repository. However, updating to the latest version would still be nice. There is a draft in https://github.com/Netcentric/accesscontroltool/pull/662 which updates to SnakeYAML 2.0 (easy) and tries to leverage
SafeConstructor(hard). Doing one without the other does not make any difference from a vulnerability point of view (although tools no longer report the vulnerability). @sajithgowda Maybe you want to pick it up from there and finish the work.