Closed CVEDetect closed 1 year ago
@CVEDetect is it a virus?
@CVEDetect is it a virus?
@Vest It is a cve vulnerability, there is a description of this vulnerability in #105
I saw it. Instead of blindly approving your PR, have you seen a direct dependency to snakeyaml in this repository?
If not, have you contacted the owners of dependencies that we use directly? If the vulnerability is fixed, I will bump Spring and other dependencies.
The last thing, have you tried to use this vulnerability in the current project? What was the outcome?
Thanks
I saw it. Instead of blindly approving your PR, have you seen a direct dependency to snakeyaml in this repository?
If not, have you contacted the owners of dependencies that we use directly? If the vulnerability is fixed, I will bump Spring and other dependencies.
The last thing, have you tried to use this vulnerability in the current project? What was the outcome?
Thanks
The version starting from spring 3.0.0 has upgraded the version of snakeyaml to 1.33 to fix this vulnerability
I am glad, you came to the same conclusion. And I hope you understand, why I declined your PR. I am working on the migration to Spring 3.
thank you for your reply
Fix issue #105 by update dependency org.yaml:snakeyaml:1.33 @jreijn