Closed Boojapho closed 3 years ago
True, but as the comment in the pom.xml
says:
<version>1.23</version> <!-- updating this breaks Java 6 compatibility -->
The vulnerability is for cases where the yaml file comes from an untrusted source. In case of the jmx_exporter
you will certainly write and deploy the yaml yourself, so the CVE doesn't really apply here.
There are plans for providing a default release for Java >= 8 and a separate jdk6 release, because this CVE seems to pop up regularly in user's security scan, see https://github.com/prometheus/jmx_exporter/issues/592
The current version in jmx_exporter is 1.2.3: https://github.com/prometheus/jmx_exporter/blob/master/collector/pom.xml#L32 The vulnerability in this version is https://nvd.nist.gov/vuln/detail/CVE-2017-18640
If you bump the version to snakeyaml 1.2.6 (or the latest 1.2.8), you can eliminate this vulnerability.