besu
besu copied to clipboard
Published
20 hours ago •
hyperledger
hyperledger
snakeyaml vulnerability
Could you fix following vulnerability in current besu docker image?
Tested in current release 22.7.2
Java (jar)
==========
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.yaml:snakeyaml | CVE-2022-25857 | HIGH | 1.26 | 1.31 | The package org.yaml:snakeyaml |
| | | | | | from 0 and before 1.31 |
| | | | | | are vulnerable t ...... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25857 |
+ +------------------+----------+ +---------------+---------------------------------------+
| | CVE-2022-38752 | MEDIUM | | 1.32 | Using snakeYAML to parse |
| | | | | | untrusted YAML files may |
| | | | | | be vulnerable to Den... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-38752 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
Thanks
snakeyaml 1.32 still has snakeyaml-1.32.jar (pkg:maven/org.yaml/[email protected], cpe:2.3:a:snakeyaml_project:snakeyaml:1.32:::::::, cpe:2.3:a:yaml_project:yaml:1.32:::::::) : CVE-2022-38752 as per https://github.com/ConsenSys/tessera/pull/1484#issuecomment-1238897912
