CVE-2022-25857 (High) detected in multiple libraries

[mend-for-github-com[bot]]

CVE-2022-25857 - High Severity Vulnerability

Vulnerable Libraries - snakeyaml-1.15.jar, snakeyaml-1.12.jar, snakeyaml-1.16.jar, snakeyaml-1.30.jar

snakeyaml-1.15.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /samples/server/petstore/jaxrs-resteasy/joda/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.15/3b132bea69e8ee099f416044970997bde80f4ea6/snakeyaml-1.15.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.4.11.jar (Root Library)
  • play-java_2.11-2.4.11.jar
    • :x: snakeyaml-1.15.jar (Vulnerable Library)

snakeyaml-1.12.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /samples/client/petstore-security-test/scala/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.12/ebe66a6b88caab31d7a19571ad23656377523545/snakeyaml-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.12/ebe66a6b88caab31d7a19571ad23656377523545/snakeyaml-1.12.jar

Dependency Hierarchy:

• swagger-core-1.5.8.jar (Root Library)
  • jackson-dataformat-yaml-2.4.5.jar
    • :x: snakeyaml-1.12.jar (Vulnerable Library)

snakeyaml-1.16.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /samples/client/petstore/java/retrofit2-play25/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.16/d64fb662c9e42789149f5078a62a22edda786c6a/snakeyaml-1.16.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.5.14.jar (Root Library)
  • play-java_2.11-2.5.14.jar
    • :x: snakeyaml-1.16.jar (Vulnerable Library)

snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /modules/swagger-codegen-cli/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar,/modules/swagger-generator/target/swagger-generator-2.4.29-SNAPSHOT/WEB-INF/lib/snakeyaml-1.30.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar,/modules/swagger-generator/target/lib/snakeyaml-1.30.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy:

• :x: snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branches: 3.0.0, master

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (io.swagger:swagger-core): 1.5.19

---

• [ ] Check this box to open an automated fix PR