java-faker icon indicating copy to clipboard operation
java-faker copied to clipboard

Published 20 hours ago verified publisher icon DiUS

CVE-2017-18640 - High Severity Vulnerability

Open mrspaceman opened this issue 4 years ago • 10 comments

CVE-2017-18640 - High Severity Vulnerability Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /tmp/ws-scm/datahelix/core/build.gradle

Path to vulnerable library: /tmp/ws-ua/downloadResource_c5526757-2afd-4961-9fb2-8311b0585dfe/20200131152402/snakeyaml-1.23.jar,/tmp/ws-ua/downloadResource_c5526757-2afd-4961-9fb2-8311b0585dfe/20200131152402/snakeyaml-1.23.jar

Dependency Hierarchy:

javafaker-1.0.1.jar (Root Library)
    ❌ snakeyaml-1.23.jar (Vulnerable Library)

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
    Attack Vector: Network
    Attack Complexity: Low
    Privileges Required: None
    User Interaction: None
    Scope: Unchanged
Impact Metrics:
    Confidentiality Impact: None
    Integrity Impact: None
    Availability Impact: High

For more information on CVSS3 Scores, click here.

mrspaceman avatar Feb 10 '20 08:02 mrspaceman

New version of snakeyaml is released which mitigates the CVE, thanks to the community.

I can provide a patch for pom.xml with updated dependency

RockyMM avatar Jul 22 '20 10:07 RockyMM

Hi @codingricky, is it possible to create a build 1.0.3? We're using java-faker on the datahelix project and would love a build that includes this fix :)

tjohnson-scottlogic avatar Sep 07 '20 08:09 tjohnson-scottlogic

Hi @codingricky, is it possible to create a build 1.0.3? We're using java-faker on the datahelix project and would love a build that includes this fix :)

We are waiting for a release because we are also suffering from the problem fixed in #457 (merged July 6) - so a release would be highly appreciated here, too 😃

sambernet avatar Sep 14 '20 21:09 sambernet

I applied a workaround until a new version is released. Just exclude the outdated dependency and include it in its newer version:

		<dependency>
			<groupId>com.github.javafaker</groupId>
			<artifactId>javafaker</artifactId>
			<version>1.0.2</version>
			<exclusions>
				<exclusion>
					<groupId>org.yaml</groupId>
					<artifactId>snakeyaml</artifactId>
				</exclusion>
			</exclusions>
		</dependency>

		<dependency>
			<groupId>org.yaml</groupId>
			<artifactId>snakeyaml</artifactId>
			<version>1.26</version>
		</dependency>

raman-nbg avatar Sep 29 '20 07:09 raman-nbg

Hey @codingricky

Do you have a timeline for 1.0.3 release?

Thanks!

RockyMM avatar May 17 '21 15:05 RockyMM

Seems @codingricky is MIA. Is there anyone else that can do a release? or is this dead in the water?

astubbs avatar Jan 27 '22 16:01 astubbs

FYI https://github.com/DiUS/java-faker/issues/700 1.0.3 release

astubbs avatar Jan 27 '22 16:01 astubbs

Hi @astubbs , it seems a bit quiet for the last 2 years, but even if they made a release, javafaker is quite buggy.

I made a fork of this library (https://www.datafaker.net) which does get regular updates, and which has almost all prs from this repo applied. My current release cadence is one release per month, and I welcome contributions.

(Btw, Datafaker also has all CVEs fixed, and removes almost all of the external dependencies)

bodiam avatar Jan 27 '22 22:01 bodiam

@bodiam https://datafaker.net/ doesn't work, but https://www.datafaker.net/ does. I suggest to setup a redirect from one to another.

marcinkunert avatar Feb 25 '22 12:02 marcinkunert

@marcinkunert ah, thanks for letting me know, that's sloppy. I'll fix that soon, thanks!

bodiam avatar Feb 25 '22 12:02 bodiam