CVE-2022-1471 - org.yaml:snakeyaml, org.yaml:SnakeYAML in 2.15.3.Final

[adisnuhan]

Hello community,

we are getting OWASP and AWS ECR findings with the latest quarkus version. I wasn't able to find any relevant information or announcements from quarkus side regarding this topic.

We have YAML as a dependency in project only to be able to store our properties in application.yml file.

Does anyone knows if this finding with SnakeYAML is false positive or if not then how to solve it?

Thanks and regards,
Adis

[sberyozkin]

@adisnuhan Please see #30124, Quarkus is not really impacted, but it will be closed once the next snakeyaml version with the hardening updates is released

[TorokEni]

A new version of snake yaml was released on 26 Februar - https://mvnrepository.com/artifact/org.yaml/snakeyaml/2.0. Could we have it also with the next quarkus update please? :)

[sberyozkin]

Sure, see https://github.com/quarkusio/quarkus/blob/main/bom/application/pom.xml#L173.
My understanding it would be a sensitive update for 2.16.x, and as @gsmet has explained our use of SnakeYaml is safe, we made sure of it (DevConsole, Quarkus Config system via smallrye-config) use SafeConstructor

[TorokEni]

Thank you very much!
Can you please let me know with which quarkus version and when this will be released?
Thanks in advance!