This repository has been archived by the owner on May 30, 2024. It is now read-only.
Vulnerability CVE-2022-1471 is introduced via SnakeYaml 1.32. Upgrading to 2.0 should fix it. #300
Comments
|
Hello @jasperbogers-ig, Thank you for submitting this issue. We have filed it internally as 192272. Thanks, |
|
Hello @jasperbogers-ig, we have released Java Server SDK 6.0.6 to address this issue. Please let us know if there is any other problem. |
|
While LaunchDarkly recommends upgrading to the 6.x version of the SDK to get the Contexts support, the same fix is backported back to 5.x. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
Launchdarkly java-server-sdk build.gradle has a dependency on SnakeYaml 1.32. That contains CVE-2022-1471. SnakeYaml 2.0 fixes it.
To reproduce
Run a CVE scanner like OWASP dependencyCheck. It will flag this library, for example
launchdarkly-java-server-sdk-6.0.5.jar/META-INF/maven/org.yaml/snakeyaml/pom.xml (pkg:maven/org.yaml/[email protected], cpe:2.3:a:snakeyaml_project:snakeyaml:1.32:*:*:*:*:*:*:*) : CVE-2022-1471Expected behavior
Using the LaunchDarkly java server SDK library shouldn't introduce a transitive SnakeYaml dependency that has a CVE.
SDK version
6.0.5
Language version, developer tools
Java 17
OS/platform
Ubuntu 22
Additional context
See https://nvd.nist.gov/vuln/detail/CVE-2022-1471 and https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
The text was updated successfully, but these errors were encountered: