Bio-Formats is a Java library for reading and writing data in life sciences image file formats. It is developed by the Open Microscopy Environment. Bio-Formats is released under the GNU General Public License (GPL); commercial licenses are available from Glencoe Software.
We are provisioning Digital Slide Archive in our corporate environment where a security scanning tool is blocking me from deploying to production environment due to a security vulnerability resolving to bioformats_package.jar. DSA uses large_image_wheels which depends on bioformats_package.jar.
Distro | CVE ID | Compliance ID | Type | Severity | Packages | Package Version | Package License | CVSS | Fix Status | Description | Vulnerability Link | Package Path
-- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --
ubuntu-jammy | CVE-2022-1471 | 47 | java | critical | org.yaml_snakeyaml | 1.32 | Apache License, Version 2.0 | 9.8 | fixed in 2.0 | SnakeYaml\'s Constructor() class does not restrict types which can be instantiated during deserialization.u00a0Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml\'s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. | https://nvd.nist.gov/vuln/detail/CVE-2022-1471 | /opt/venv/lib/python3.9/site-packages/bioformats/jars/bioformats_package.jar
Hi,
We are provisioning Digital Slide Archive in our corporate environment where a security scanning tool is blocking me from deploying to production environment due to a security vulnerability resolving to bioformats_package.jar. DSA uses large_image_wheels which depends on bioformats_package.jar.
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
Distro | CVE ID | Compliance ID | Type | Severity | Packages | Package Version | Package License | CVSS | Fix Status | Description | Vulnerability Link | Package Path -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- ubuntu-jammy | CVE-2022-1471 | 47 | java | critical | org.yaml_snakeyaml | 1.32 | Apache License, Version 2.0 | 9.8 | fixed in 2.0 | SnakeYaml\'s Constructor() class does not restrict types which can be instantiated during deserialization.u00a0Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml\'s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. | https://nvd.nist.gov/vuln/detail/CVE-2022-1471 | /opt/venv/lib/python3.9/site-packages/bioformats/jars/bioformats_package.jar