Closed CVEDetect closed 1 year ago
Hi, In /jraft-example,there is a dependency org.yaml:snakeyaml:1.27 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path : com.alipay.sofa.jraft.example.rheakv.MultiGetExample: multiGet(com.alipay.sofa.jraft.rhea.client.RheaKVStore)V /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/6.0/asm-6.0.jar org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] com.alipay.sofa:jraft-example:jar:1.3.12 [INFO] +- com.alipay.sofa:jraft-core:jar:1.3.12:compile [INFO] | +- org.ow2.asm:asm:jar:6.0:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | +- org.rocksdb:rocksdbjni:jar:7.7.3:compile [INFO] | +- net.java.dev.jna:jna:jar:5.5.0:compile [INFO] | +- org.jctools:jctools-core:jar:2.1.1:compile [INFO] | +- org.slf4j:slf4j-api:jar:1.7.21:compile [INFO] | +- com.lmax:disruptor:jar:3.3.7:compile [INFO] | +- com.google.protobuf:protobuf-java:jar:3.5.1:compile [INFO] | +- commons-io:commons-io:jar:2.8.0:compile [INFO] | +- commons-lang:commons-lang:jar:2.6:compile [INFO] | +- com.alipay.sofa:bolt:jar:1.6.4:compile [INFO] | | +- io.netty:netty-all:jar:4.1.42.Final:compile [INFO] | | \- com.alipay.sofa.common:sofa-common-tools:jar:1.0.12:compile [INFO] | +- com.alipay.sofa:hessian:jar:3.3.6:compile [INFO] | \- io.dropwizard.metrics:metrics-core:jar:4.0.2:compile [INFO] +- com.alipay.sofa:jraft-rheakv-core:jar:1.3.12:compile [INFO] | +- net.openhft:affinity:jar:3.1.7:compile [INFO] | | +- net.java.dev.jna:jna-platform:jar:4.4.0:compile [INFO] | | \- com.intellij:annotations:jar:12.0:compile [INFO] | +- org.apache.commons:commons-compress:jar:1.21:compile [INFO] | +- io.protostuff:protostuff-core:jar:1.6.0:compile [INFO] | | \- io.protostuff:protostuff-api:jar:1.6.0:compile [INFO] | \- io.protostuff:protostuff-runtime:jar:1.6.0:compile [INFO] | \- io.protostuff:protostuff-collectionschema:jar:1.6.0:compile [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile [INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile [INFO] +- org.apache.logging.log4j:log4j-jcl:jar:2.17.1:compile [INFO] | \- commons-logging:commons-logging:jar:1.2:compile [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.6:compile [INFO] | +- org.yaml:snakeyaml:jar:1.27:compile [INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile [INFO] \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /jraft-example,there is a dependency org.yaml:snakeyaml:1.27 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.