Dependency org.yaml:snakeyaml, leading to CVE problem #18

CVEDetect · 2023-03-01T13:01:16Z

Hi, In /mqr-rest，there is a dependency org.yaml:snakeyaml:1.26 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is ** [0,1.31)**

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

CVE Bug Invocation Path : 
com.molicloud.mqr.config.WebConfiguration: addCorsMappings(org.springframework.web.servlet.config.annotation.CorsRegistry)V /.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.3.5.RELEASE/spring-boot-starter-tomcat-2.3.5.RELEASE.jar
org.springframework.web.servlet.config.annotation.CorsRegistration: allowedMethods(java.lang.String[])Lorg.springframework.web.servlet.config.annotation.CorsRegistration; /.m2/repository/com/alibaba/transmittable-thread-local/2.11.5/transmittable-thread-local-2.11.5.jar
org.springframework.web.cors.CorsConfiguration: setAllowedMethods(java.util.List)V /.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.3.5.RELEASE/spring-boot-starter-tomcat-2.3.5.RELEASE.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.3.5.RELEASE/spring-boot-starter-tomcat-2.3.5.RELEASE.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.3.5.RELEASE/spring-boot-starter-tomcat-2.3.5.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/springframework/boot/spring-boot-starter-tomcat/2.3.5.RELEASE/spring-boot-starter-tomcat-2.3.5.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.molicloud.mqr:mqr-rest:jar:1.0-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.3.5.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.3.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.3.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.3.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.3.5.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.2.10.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.2.10.RELEASE:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.26:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.3.5.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.3.5.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.39:compile
[INFO] |  |  +- org.glassfish:jakarta.el:jar:3.0.3:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.39:compile
[INFO] |  +- org.springframework:spring-web:jar:5.2.10.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.2.10.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.2.10.RELEASE:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.2.10.RELEASE:compile
[INFO] |     +- org.springframework:spring-context:jar:5.2.10.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.2.10.RELEASE:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:compile
[INFO] +- org.xerial:sqlite-jdbc:jar:3.31.1:compile
[INFO] +- com.molicloud.mqr:mqr-service:jar:1.0-SNAPSHOT:compile
[INFO] |  +- com.auth0:java-jwt:jar:3.11.0:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.14:runtime
[INFO] |  +- com.baomidou:mybatis-plus-boot-starter:jar:3.4.1:compile
[INFO] |  |  +- com.baomidou:mybatis-plus:jar:3.4.1:compile
[INFO] |  |  |  \- com.baomidou:mybatis-plus-extension:jar:3.4.1:compile
[INFO] |  |  |     +- com.baomidou:mybatis-plus-core:jar:3.4.1:compile
[INFO] |  |  |     |  +- com.baomidou:mybatis-plus-annotation:jar:3.4.1:compile
[INFO] |  |  |     |  +- com.github.jsqlparser:jsqlparser:jar:3.2:compile
[INFO] |  |  |     |  \- org.mybatis:mybatis:jar:3.5.6:compile
[INFO] |  |  |     \- org.mybatis:mybatis-spring:jar:2.0.5:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.3.5.RELEASE:compile
[INFO] |  |     +- com.zaxxer:HikariCP:jar:3.4.5:compile
[INFO] |  |     \- org.springframework:spring-jdbc:jar:5.2.10.RELEASE:compile
[INFO] |  |        \- org.springframework:spring-tx:jar:5.2.10.RELEASE:compile
[INFO] |  \- com.molicloud.mqr:mqr-common:jar:1.0-SNAPSHOT:compile
[INFO] |     +- org.projectlombok:lombok:jar:1.18.12:compile
[INFO] |     +- cn.hutool:hutool-all:jar:5.4.4:compile
[INFO] |     +- com.alibaba:transmittable-thread-local:jar:2.11.5:compile
[INFO] |     +- com.google.zxing:javase:jar:3.3.0:compile
[INFO] |     |  +- com.google.zxing:core:jar:3.3.0:compile
[INFO] |     |  +- com.beust:jcommander:jar:1.48:compile
[INFO] |     |  \- com.github.jai-imageio:jai-imageio-core:jar:1.3.1:compile
[INFO] |     +- io.springfox:springfox-boot-starter:jar:3.0.0:compile
[INFO] |     |  +- io.springfox:springfox-oas:jar:3.0.0:compile
[INFO] |     |  |  +- io.swagger.core.v3:swagger-annotations:jar:2.1.2:compile
[INFO] |     |  |  +- io.swagger.core.v3:swagger-models:jar:2.1.2:compile
[INFO] |     |  |  +- io.springfox:springfox-spi:jar:3.0.0:compile
[INFO] |     |  |  +- io.springfox:springfox-schema:jar:3.0.0:compile
[INFO] |     |  |  +- io.springfox:springfox-core:jar:3.0.0:compile
[INFO] |     |  |  |  \- net.bytebuddy:byte-buddy:jar:1.10.17:compile
[INFO] |     |  |  +- io.springfox:springfox-spring-web:jar:3.0.0:compile
[INFO] |     |  |  |  \- io.github.classgraph:classgraph:jar:4.8.83:compile
[INFO] |     |  |  +- io.springfox:springfox-spring-webmvc:jar:3.0.0:compile
[INFO] |     |  |  +- io.springfox:springfox-spring-webflux:jar:3.0.0:compile
[INFO] |     |  |  +- io.springfox:springfox-swagger-common:jar:3.0.0:compile
[INFO] |     |  |  \- org.mapstruct:mapstruct:jar:1.3.1.Final:runtime
[INFO] |     |  +- io.springfox:springfox-data-rest:jar:3.0.0:compile
[INFO] |     |  +- io.springfox:springfox-bean-validators:jar:3.0.0:compile
[INFO] |     |  +- io.springfox:springfox-swagger2:jar:3.0.0:compile
[INFO] |     |  |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |     |  |  \- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |     |  +- io.springfox:springfox-swagger-ui:jar:3.0.0:compile
[INFO] |     |  +- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |     |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |     |  +- org.springframework.plugin:spring-plugin-core:jar:2.0.0.RELEASE:compile
[INFO] |     |  \- org.springframework.plugin:spring-plugin-metadata:jar:2.0.0.RELEASE:compile
[INFO] |     \- org.springframework.boot:spring-boot-starter-validation:jar:2.3.5.RELEASE:compile
[INFO] |        \- org.hibernate.validator:hibernate-validator:jar:6.1.6.Final:compile
[INFO] |           +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |           \- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] \- com.molicloud.mqr:mqr-plugin-framework:jar:1.0-SNAPSHOT:compile
[INFO]    +- net.mamoe:mirai-core-jvm:jar:2.14.0:compile
[INFO]    |  +- net.mamoe:mirai-core-api-jvm:jar:2.14.0:compile
[INFO]    |  |  +- org.jetbrains.kotlin:kotlin-reflect:jar:1.3.72:compile
[INFO]    |  |  \- net.mamoe:mirai-console-compiler-annotations-jvm:jar:2.14.0:runtime
[INFO]    |  +- org.jetbrains.kotlinx:kotlinx-serialization-core-jvm:jar:1.3.3:compile
[INFO]    |  +- org.jetbrains.kotlinx:kotlinx-serialization-json-jvm:jar:1.3.3:compile
[INFO]    |  +- org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:jar:1.6.4:compile
[INFO]    |  +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.72:compile
[INFO]    |  +- org.jetbrains.kotlinx:kotlinx-coroutines-jdk8:jar:1.3.8:compile
[INFO]    |  +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.3.72:compile
[INFO]    |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.3.72:compile
[INFO]    |  +- org.bouncycastle:bcprov-jdk15on:jar:1.64:runtime
[INFO]    |  +- me.him188:kotlin-jvm-blocking-bridge-runtime-jvm:jar:2.1.0-170.1:runtime
[INFO]    |  +- me.him188:kotlin-dynamic-delegation-jvm:jar:0.3.0-170.1:runtime
[INFO]    |  +- net.mamoe:mirai-core-utils-jvm:jar:2.14.0:runtime
[INFO]    |  +- org.jetbrains.kotlinx:kotlinx-serialization-protobuf-jvm:jar:1.3.3:runtime
[INFO]    |  +- org.jetbrains.kotlinx:atomicfu-jvm:jar:0.18.3:runtime
[INFO]    |  +- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
[INFO]    |  \- io.netty:netty-handler:jar:4.1.53.Final:runtime
[INFO]    |     +- io.netty:netty-common:jar:4.1.53.Final:runtime
[INFO]    |     +- io.netty:netty-resolver:jar:4.1.53.Final:runtime
[INFO]    |     +- io.netty:netty-buffer:jar:4.1.53.Final:runtime
[INFO]    |     +- io.netty:netty-transport:jar:4.1.53.Final:runtime
[INFO]    |     \- io.netty:netty-codec:jar:4.1.53.Final:runtime
[INFO]    +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.7.10:compile
[INFO]    |  \- org.jetbrains:annotations:jar:13.0:compile
[INFO]    +- io.ktor:ktor-client-core:jar:1.6.1:compile
[INFO]    |  +- io.ktor:ktor-http:jar:1.6.1:runtime
[INFO]    |  |  \- io.ktor:ktor-utils:jar:1.6.1:runtime
[INFO]    |  |     \- io.ktor:ktor-io:jar:1.6.1:runtime
[INFO]    |  +- io.ktor:ktor-http-cio:jar:1.6.1:runtime
[INFO]    |  \- org.jetbrains.kotlinx:atomicfu:jar:0.16.1:runtime
[INFO]    +- org.jetbrains.kotlinx:kotlinx-coroutines-core:jar:1.6.1:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-core:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-aireply:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-adblock:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-divination:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-qrcode:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-manager:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-test:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-votekick:jar:1.0-SNAPSHOT:compile
[INFO]    +- com.molicloud.mqr:mqr-plugin-dyurl:jar:1.0-SNAPSHOT:compile
[INFO]    \- com.molicloud.mqr:mqr-plugin-avatar:jar:1.0-SNAPSHOT:compile

Suggested solutions:

Update dependency version

Thank you very much.

The text was updated successfully, but these errors were encountered:

CVEDetect mentioned this issue Mar 1, 2023

Fix CVE dependency issue #19

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency org.yaml:snakeyaml, leading to CVE problem #18

Dependency org.yaml:snakeyaml, leading to CVE problem #18

CVEDetect commented Mar 1, 2023

Dependency org.yaml:snakeyaml, leading to CVE problem #18

Dependency org.yaml:snakeyaml, leading to CVE problem #18

Comments

CVEDetect commented Mar 1, 2023