fstab
commented
3 years ago True, but as the comment in the pom.xml says:
<version>1.23</version> <!-- updating this breaks Java 6 compatibility -->The vulnerability is for cases where the yaml file comes from an untrusted source. In case of the jmx_exporter you will certainly write and deploy the yaml yourself, so the CVE doesn't really apply here.
There are plans for providing a default release for Java >= 8 and a separate jdk6 release, because this CVE seems to pop up regularly in user's security scan, see https://github.com/prometheus/jmx_exporter/issues/592
The current version in jmx_exporter is 1.2.3: https://github.com/prometheus/jmx_exporter/blob/master/collector/pom.xml#L32 The vulnerability in this version is https://nvd.nist.gov/vuln/detail/CVE-2017-18640
If you bump the version to snakeyaml 1.2.6 (or the latest 1.2.8), you can eliminate this vulnerability.