yoti-java-sdk icon indicating copy to clipboard operation
yoti-java-sdk copied to clipboard

Published 20 hours ago verified publisher icon getyoti

Dependency org.yaml:snakeyaml, leading to CVE problem

Open CVEDetect opened this issue 1 year ago • 0 comments

Hi, In /examples/doc-scan,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

com.yoti.docscan.demo.service.DocScanService: getMedia(java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
com.yoti.api.client.docs.DocScanClient: getMediaContent(java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
com.yoti.api.client.docs.DocScanService: getMediaContent(java.lang.String,java.security.KeyPair,java.lang.String,java.lang.String)Lcom.yoti.api.client.Media; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
com.yoti.api.client.docs.DocScanService: findContentType(com.yoti.api.client.spi.remote.call.SignedRequestResponse)Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-core/2.13.3/jackson-core-2.13.3.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.yoti.docscan.demo:doc-scan-demo:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |     +- org.springframework:spring-context:jar:5.3.21:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.7.1:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.15.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:3.0.15.RELEASE:compile
[INFO] |  |     +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.7.1:compile
[INFO] +- org.springframework.session:spring-session-core:jar:2.7.0:compile
[INFO] |  \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.11:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.21:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] \- com.yoti:yoti-sdk-api:jar:3.6.0:compile
[INFO]    +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:compile
[INFO]    |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO]    |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:compile
[INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO]    |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO]    +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO]    +- com.google.protobuf:protobuf-java:jar:3.21.12:compile
[INFO]    +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO]    \- org.apache.httpcomponents:httpmime:jar:4.5.13:compile
[INFO]       \- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO]          \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Apr 19 '23 08:04 CVEDetect