Open CVEDetect opened 1 year ago
Hi, In /,there is a dependency org.yaml:snakeyaml:1.17 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
CVE Bug Invocation Path : bt.bencoding.model.YamlBEObjectModelLoader: load(java.io.InputStream)Lbt.bencoding.model.BEObjectModel; /.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.Yaml: load(java.io.InputStream)Ljava.lang.Object; /.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.Yaml: loadFromReader(org.yaml.snakeyaml.reader.StreamReader,java.lang.Class)Ljava.lang.Object; /.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.constructor.BaseConstructor: getSingleData(java.lang.Class)Ljava.lang.Object; /.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.composer.Composer: getSingleNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.composer.Composer: composeDocument()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] com.github.atomashpolskiy:bt-bencoding:jar:1.11-SNAPSHOT [INFO] +- org.yaml:snakeyaml:jar:1.17:compile [INFO] +- com.google.guava:guava:jar:30.1-jre:compile [INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | +- org.checkerframework:checker-qual:jar:3.5.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile [INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] +- junit:junit:jar:4.12:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] \- org.mockito:mockito-all:jar:1.10.19:test
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /,there is a dependency org.yaml:snakeyaml:1.17 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.