Closed CVEDetect closed 2 months ago
Hi, In /,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path : bdv.ui.keymap.KeymapsListData: init(java.lang.String,java.util.List)V /.m2/repository/org/ojalgo/ojalgo/45.1.1/ojalgo-45.1.1.jar org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] sc.fiji:bigdataviewer-core:jar:10.4.6-SNAPSHOT [INFO] +- net.imglib2:imglib2:jar:5.12.0:compile [INFO] +- net.imglib2:imglib2-realtransform:jar:3.1.2:compile [INFO] | +- gov.nist.math:jama:jar:1.0.3:compile [INFO] | +- jitk:jitk-tps:jar:3.0.3:compile [INFO] | | \- com.googlecode.efficient-java-matrix-library:ejml:jar:0.25:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.32:compile [INFO] +- net.imglib2:imglib2-cache:jar:1.0.0-beta-16:compile [INFO] | +- com.github.ben-manes.caffeine:caffeine:jar:2.4.0:compile [INFO] | \- org.scijava:scijava-optional:jar:1.0.1:compile [INFO] +- net.imglib2:imglib2-algorithm:jar:0.12.1:compile [INFO] | +- net.imglib2:imglib2-roi:jar:0.12.1:compile [INFO] | +- net.sf.trove4j:trove4j:jar:3.0.3:compile [INFO] | \- org.ojalgo:ojalgo:jar:45.1.1:compile [INFO] +- sc.fiji:spim_data:jar:2.2.7:compile [INFO] | \- org.scijava:scijava-common:jar:2.89.0:compile [INFO] | +- org.scijava:parsington:jar:3.0.0:compile [INFO] | \- org.bushe:eventbus:jar:1.4:compile [INFO] +- cisd:jhdf5:jar:19.04.1:compile [INFO] | +- cisd:base:jar:18.09.0:compile [INFO] | +- commons-io:commons-io:jar:2.7:compile [INFO] | \- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] +- org.jdom:jdom2:jar:2.0.6:compile [INFO] +- com.google.code.gson:gson:jar:2.9.0:compile [INFO] +- org.scijava:ui-behaviour:jar:2.0.7:compile [INFO] | \- org.yaml:snakeyaml:jar:1.29:compile [INFO] +- org.scijava:scijava-listeners:jar:1.0.0-beta-3:compile [INFO] +- org.janelia.saalfeldlab:n5:jar:2.5.1:compile [INFO] | +- org.tukaani:xz:jar:1.9:compile [INFO] | +- org.lz4:lz4-java:jar:1.8.0:compile [INFO] | \- org.apache.commons:commons-compress:jar:1.21:compile [INFO] +- com.miglayout:miglayout-swing:jar:5.2:compile [INFO] | \- com.miglayout:miglayout-core:jar:5.2:compile [INFO] +- com.formdev:flatlaf:jar:2.4:compile [INFO] +- dev.dirs:directories:jar:24:compile [INFO] \- junit:junit:jar:4.13.2:test [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.