tanderson-ld
commented
1 year ago Hello @jasperbogers-ig,
Thank you for submitting this issue. We have filed it internally as 192272.
Thanks, Todd
Closed jasperbogers-ig closed 1 year ago
tanderson-ld
commented
1 year ago Hello @jasperbogers-ig,
Thank you for submitting this issue. We have filed it internally as 192272.
Thanks, Todd
louis-launchdarkly
commented
1 year ago Hello @jasperbogers-ig, we have released Java Server SDK 6.0.6 to address this issue. Please let us know if there is any other problem.
louis-launchdarkly
commented
1 year ago While LaunchDarkly recommends upgrading to the 6.x version of the SDK to get the Contexts support, the same fix is backported back to 5.x.
Describe the bug Launchdarkly java-server-sdk build.gradle has a dependency on SnakeYaml 1.32. That contains CVE-2022-1471. SnakeYaml 2.0 fixes it.
To reproduce Run a CVE scanner like OWASP dependencyCheck. It will flag this library, for example
launchdarkly-java-server-sdk-6.0.5.jar/META-INF/maven/org.yaml/snakeyaml/pom.xml (pkg:maven/org.yaml/snakeyaml@1.32, cpe:2.3:a:snakeyaml_project:snakeyaml:1.32:*:*:*:*:*:*:*) : CVE-2022-1471Expected behavior Using the LaunchDarkly java server SDK library shouldn't introduce a transitive SnakeYaml dependency that has a CVE.
SDK version 6.0.5
Language version, developer tools Java 17
OS/platform Ubuntu 22
Additional context See https://nvd.nist.gov/vuln/detail/CVE-2022-1471 and https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes