Closed CVEDetect closed 1 year ago
Hi, In /libs/chat-workflow,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path : org.finos.springbot.workflow.actions.form.TableDeleteRows: acceptFormAction(org.finos.springbot.workflow.actions.FormAction)V /download/apache-maven-3.6.3/repository_mount/org/springframework/boot/spring-boot-autoconfigure/2.7.0/spring-boot-autoconfigure-2.7.0.jar org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] org.finos.springbot:chat-workflow:jar:9.0.2-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter-validation:jar:2.7.0:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.0:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:2.7.0:compile [INFO] | | | \- org.springframework:spring-context:jar:5.3.20:compile [INFO] | | | \- org.springframework:spring-expression:jar:5.3.20:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.0:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.0:compile [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile [INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile [INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile [INFO] | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.63:compile [INFO] | \- org.hibernate.validator:hibernate-validator:jar:6.2.3.Final:compile [INFO] | +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile [INFO] | \- com.fasterxml:classmate:jar:1.5.1:compile [INFO] +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.7.0:compile [INFO] | +- org.springframework:spring-web:jar:5.3.20:compile [INFO] | | \- org.springframework:spring-beans:jar:5.3.20:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile [INFO] | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile [INFO] +- org.finos.springbot:entity-json:jar:9.0.2-SNAPSHOT:compile [INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile [INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.0:compile [INFO] | +- org.springframework:spring-aop:jar:5.3.20:compile [INFO] | \- org.aspectj:aspectjweaver:jar:1.9.7:compile [INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:2.7.0:compile [INFO] | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.7.0:compile [INFO] | | \- org.springframework.boot:spring-boot-actuator:jar:2.7.0:compile [INFO] | \- io.micrometer:micrometer-core:jar:1.9.0:compile [INFO] | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile [INFO] | \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime [INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.0:test [INFO] +- org.springframework.boot:spring-boot-test:jar:2.7.0:test [INFO] +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.0:test [INFO] +- com.jayway.jsonpath:json-path:jar:2.7.0:test [INFO] | +- net.minidev:json-smart:jar:2.4.8:test [INFO] | | \- net.minidev:accessors-smart:jar:2.4.8:test [INFO] | | \- org.ow2.asm:asm:jar:9.1:test [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test [INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test [INFO] +- org.assertj:assertj-core:jar:3.22.0:test [INFO] +- org.hamcrest:hamcrest:jar:2.2:test [INFO] +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test [INFO] | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test [INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test [INFO] | | +- org.junit.platform:junit-platform-commons:jar:1.8.2:test [INFO] | | \- org.apiguardian:apiguardian-api:jar:1.1.0:test [INFO] | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test [INFO] | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test [INFO] | \- org.junit.platform:junit-platform-engine:jar:1.8.2:test [INFO] +- org.mockito:mockito-core:jar:4.5.1:test [INFO] | +- net.bytebuddy:byte-buddy:jar:1.12.10:test [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.12.10:test [INFO] | \- org.objenesis:objenesis:jar:3.2:test [INFO] +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test [INFO] +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] +- org.springframework:spring-core:jar:5.3.20:compile [INFO] | \- org.springframework:spring-jcl:jar:5.3.20:compile [INFO] +- org.springframework:spring-test:jar:5.3.20:test [INFO] \- org.xmlunit:xmlunit-core:jar:2.9.0:test
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /libs/chat-workflow,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.