Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nacos-client 2.1.1 use org.yaml.snakeyaml 1.30,has CVE-2022-25857 high vul #9177

Closed
nibiwodong opened this issue Sep 20, 2022 · 0 comments
Closed

nacos-client 2.1.1 use org.yaml.snakeyaml 1.30,has CVE-2022-25857 high vul #9177

nibiwodong opened this issue Sep 20, 2022 · 0 comments
Labels
dependencies Pull requests that update a dependency file
Milestone
2.1.2

Comments

@nibiwodong
Copy link

Describe the bug
org.yaml.snakeyaml 1.30 was released at Dec 15, 2021, after that, 1.31 was released at Aug 27, 2022, 1.32 was released at Sep 12, 2022

nacos-client pom.xml do not specify the certain version of org.yaml.snakeyaml, and the latest version of nacos-client was released at Aug 08, 2022, so nacos-client use org.yaml.snakeyaml 1.30.

CVE-2022-25857 was published at Aug 30, 2022
https://nvd.nist.gov/vuln/detail/CVE-2022-25857

Expected behavior
upgrade org.yaml.snakeyaml version from 1.30 to 1.32
@karsonto karsonto mentioned this issue Sep 20, 2022
Merged
5 tasks
@KomachiSion KomachiSion added the dependencies Pull requests that update a dependency file label Sep 21, 2022
@KomachiSion KomachiSion added this to the 2.1.2 milestone Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
2.1.2
Development

No branches or pull requests
2 participants
@nibiwodong @KomachiSion