Closed antonmos closed 1 year ago
eli-darkly
commented
1 year ago Thanks for catching this. I've seen similar issues in YAML libraries for other platforms, and it never ceases to amaze me how many of their creators thought having the code execution extensions enabled by default was a good idea.
eli-darkly
commented
1 year ago And that discussion on Bitbucket is... really something.
eli-darkly
commented
1 year ago This is fixed in the 5.10.5 and 6.0.2 releases. Thanks again for the report and the fix.
Is this a support request? This issue tracker is maintained by LaunchDarkly SDK developers and is intended for feedback on the SDK code. If you're not sure whether the problem you are having is specifically related to the SDK, or to the LaunchDarkly service overall, it may be more appropriate to contact the LaunchDarkly support team; they can help to investigate the problem and will consult the SDK team if necessary. You can submit a support request by going here or by emailing support@launchdarkly.com.
Note that issues filed on this issue tracker are publicly accessible. Do not provide any private account information on your issues. If your problem is specific to your account, you should submit a support request as described above.
Describe the bug CVE-2022-1471 allows the org.yaml.snakeyaml.Yaml file to instantiate arbitrary Java classes when reading yaml files, which can be used to achieve an RCE (remote code execution).
To reproduce see https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
Expected behavior launchdarkly should use org.yaml.snakeyaml.constructor.SafeConstuctor to prevent the RCE.
Logs If applicable, add any log output related to your problem.
SDK version latest
Language version, developer tools For instance, Go 1.11 or Ruby 2.5.3. If you are using a language that requires a separate compiler, such as C, please include the name and version of the compiler too.
OS/platform For instance, Ubuntu 16.04, Windows 10, or Android 4.0.3. If your code is running in a browser, please also include the browser type and version.
Additional context Add any other context about the problem here.