You should definitely restrict who can apply ACTools YAMLs as even without vulnerabilities you can do a lot of harm by granting everyone access to the underlying repository. However, updating to the latest version would still be nice. There is a draft in https://github.com/Netcentric/accesscontroltool/pull/662 which updates to SnakeYAML 2.0 (easy) and tries to leverage SafeConstructor (hard). Doing one without the other does not make any difference from a vulnerability point of view (although tools no longer report the vulnerability). @sajithgowda Maybe you want to pick it up from there and finish the work.
You should definitely restrict who can apply ACTools YAMLs as even without vulnerabilities you can do a lot of harm by granting everyone access to the underlying repository. However, updating to the latest version would still be nice. There is a draft in https://github.com/Netcentric/accesscontroltool/pull/662 which updates to SnakeYAML 2.0 (easy) and tries to leverage
SafeConstructor
(hard). Doing one without the other does not make any difference from a vulnerability point of view (although tools no longer report the vulnerability). @sajithgowda Maybe you want to pick it up from there and finish the work.