Closed CVEDetect closed 1 year ago
Hi, In /,there is a dependency org.yaml:snakeyaml:1.26 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
com.github.instaer.ruleengine.rule.service.RuleManageService: deleteRulesetInfo(java.lang.Long)V /download/apache-maven-3.6.3/repository_mount/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.11.4/jackson-core-2.11.4.jar org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.11.4/jackson-core-2.11.4.jar org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.11.4/jackson-core-2.11.4.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] com.github.instaer:RuleEngine:jar:0.0.1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.3.8.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.3.8.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:2.3.8.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.3.8.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.3.8.RELEASE:compile [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile [INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | | +- org.springframework:spring-core:jar:5.2.12.RELEASE:compile [INFO] | | | \- org.springframework:spring-jcl:jar:5.2.12.RELEASE:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.26:compile [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.3.8.RELEASE:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile [INFO] | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.4:compile [INFO] | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.11.4:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.4:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.4:compile [INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.4:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.3.8.RELEASE:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.41:compile [INFO] | | +- org.glassfish:jakarta.el:jar:3.0.3:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.41:compile [INFO] | +- org.springframework:spring-web:jar:5.2.12.RELEASE:compile [INFO] | | \- org.springframework:spring-beans:jar:5.2.12.RELEASE:compile [INFO] | \- org.springframework:spring-webmvc:jar:5.2.12.RELEASE:compile [INFO] | +- org.springframework:spring-aop:jar:5.2.12.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:5.2.12.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:5.2.12.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.3.8.RELEASE:compile (optional) [INFO] +- org.projectlombok:lombok:jar:1.18.16:compile (optional) [INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.3.8.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:2.3.8.RELEASE:compile [INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.6:compile [INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.3.8.RELEASE:compile [INFO] | | +- com.zaxxer:HikariCP:jar:3.4.5:compile [INFO] | | \- org.springframework:spring-jdbc:jar:5.2.12.RELEASE:compile [INFO] | +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile [INFO] | +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile [INFO] | +- org.hibernate:hibernate-core:jar:5.4.27.Final:compile [INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile [INFO] | | +- org.javassist:javassist:jar:3.27.0-GA:compile [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.10.19:compile [INFO] | | +- antlr:antlr:jar:2.7.7:compile [INFO] | | +- org.jboss:jandex:jar:2.1.3.Final:compile [INFO] | | +- com.fasterxml:classmate:jar:1.5.1:compile [INFO] | | +- org.dom4j:dom4j:jar:2.1.3:compile [INFO] | | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile [INFO] | | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3:compile [INFO] | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile [INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.3:compile [INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.11:compile [INFO] | | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime [INFO] | +- org.springframework.data:spring-data-jpa:jar:2.3.6.RELEASE:compile [INFO] | | +- org.springframework.data:spring-data-commons:jar:2.3.6.RELEASE:compile [INFO] | | +- org.springframework:spring-orm:jar:5.2.12.RELEASE:compile [INFO] | | +- org.springframework:spring-tx:jar:5.2.12.RELEASE:compile [INFO] | | \- org.slf4j:slf4j-api:jar:1.7.30:compile [INFO] | \- org.springframework:spring-aspects:jar:5.2.12.RELEASE:compile [INFO] +- com.googlecode.aviator:aviator:jar:5.3.0:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.10:compile [INFO] \- mysql:mysql-connector-java:jar:8.0.22:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /,there is a dependency org.yaml:snakeyaml:1.26 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.