Skip to content
This repository has been archived by the owner on Apr 14, 2023. It is now read-only.

CVE-2017-18640 (High) detected in snakeyaml-1.23.jar #1658

Closed
mend-for-github-com bot opened this issue Feb 10, 2020 · 5 comments · Fixed by #1715
Closed

CVE-2017-18640 (High) detected in snakeyaml-1.23.jar #1658

mend-for-github-com bot opened this issue Feb 10, 2020 · 5 comments · Fixed by #1715
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Feb 10, 2020
edited
Loading

CVE-2017-18640 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: datahelix/core/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210105075946_PBSPKZ/downloadResource_NGKOHV/20210105080020/snakeyaml-1.23.jar

Dependency Hierarchy:

  • javafaker-1.0.2.jar (Root Library)
    • snakeyaml-1.23.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: org.yaml:snakeyaml:1.26
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Feb 10, 2020
@ghost ghost mentioned this issue Feb 15, 2020
Closed
@Ro4052
Copy link
Contributor

Ro4052 commented Jul 13, 2020

Looks like Faker 1.0.2 still uses snakeyaml 1.23.

@tjohnson-scottlogic
Copy link
Contributor

Just spotted that this has been raised with Faker - issue 470.

@RockyMM
Copy link

RockyMM commented Jul 22, 2020

I provided a PR for this issue in Faker

@cuthullu cuthullu added the blocked This issue is blocked, label should be combined with another explaining why its blocked label Aug 28, 2020
@Tom-hayden
Copy link
Contributor

This has been resolved by DiUS/java-faker#569

@Tom-hayden Tom-hayden removed the blocked This issue is blocked, label should be combined with another explaining why its blocked label Sep 3, 2020
@Tom-hayden Tom-hayden reopened this Sep 3, 2020
@Tom-hayden Tom-hayden added the blocked This issue is blocked, label should be combined with another explaining why its blocked label Sep 3, 2020
@Tom-hayden
Copy link
Contributor

Waiting on Java-faker release

@mend-for-github-com mend-for-github-com bot removed the blocked This issue is blocked, label should be combined with another explaining why its blocked label Dec 21, 2020
matthewdunsdon added a commit to matthewdunsdon/datahelix that referenced this issue Dec 22, 2020
@matthewdunsdon
fix(finos#1658): CVE-2017-18640 - High Severity Vulnerability
1aa8705
@matthewdunsdon matthewdunsdon mentioned this issue Dec 22, 2020
Merged
matthewdunsdon added a commit to matthewdunsdon/datahelix that referenced this issue Jan 5, 2021
@matthewdunsdon
fix(finos#1658): CVE-2017-18640 - High Severity Vulnerability
1bc203d 
Uses require as:
> Implies that the selected version cannot be lower than what require accepts
but could be higher through conflict resolution, even if higher has an
exclusive higher bound.
>
> https://docs.gradle.org/current/userguide/rich_versions.html
willsalt-sl added a commit that referenced this issue Jan 5, 2021
@willsalt-sl
Merge pull request #1715 from matthewdunsdon/CVE-2017-18640
bf492a5 
fix(#1658): CVE-2017-18640 - High Severity Vulnerability
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(#1658): CVE-2017-18640 - High Severity Vulnerability matthewdunsdon/datahelix
5 participants
@RockyMM @cuthullu @Tom-hayden @Ro4052 @tjohnson-scottlogic