swagger-codegen
swagger-codegen copied to clipboard
swagger-api
CVE-2017-18640 (High) detected in multiple libraries
CVE-2017-18640 - High Severity Vulnerability
Vulnerable Libraries - snakeyaml-1.12.jar, snakeyaml-1.16.jar, snakeyaml-1.15.jar
snakeyaml-1.12.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /samples/client/petstore-security-test/scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.12/ebe66a6b88caab31d7a19571ad23656377523545/snakeyaml-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.12/ebe66a6b88caab31d7a19571ad23656377523545/snakeyaml-1.12.jar
Dependency Hierarchy:
- swagger-core-1.5.8.jar (Root Library)
- jackson-dataformat-yaml-2.4.5.jar
- :x: snakeyaml-1.12.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.4.5.jar
snakeyaml-1.16.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /samples/client/petstore/java/retrofit2-play25/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.16/d64fb662c9e42789149f5078a62a22edda786c6a/snakeyaml-1.16.jar
Dependency Hierarchy:
- play-java-ws_2.11-2.5.14.jar (Root Library)
- play-java_2.11-2.5.14.jar
- :x: snakeyaml-1.16.jar (Vulnerable Library)
- play-java_2.11-2.5.14.jar
snakeyaml-1.15.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /samples/server/petstore/jaxrs-resteasy/joda/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar
Dependency Hierarchy:
- play-java-ws_2.11-2.4.11.jar (Root Library)
- play-java_2.11-2.4.11.jar
- :x: snakeyaml-1.15.jar (Vulnerable Library)
- play-java_2.11-2.4.11.jar
Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed
Found in base branches: 3.0.0, master
Vulnerability Details
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (io.swagger:swagger-core): 1.5.19
- [ ] Check this box to open an automated fix PR
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}