Security vulnerability for SnakeYAML 1.23

Aditi · July 5, 2021, 3:23pm

Hi,

As per NVD, the SnakeYAML 1.23 version present in readonlyrest-1.26.1_es7.10.0.zip is vulnerable to CVE-2017-18640.

Please look into this.

coutoPL · July 5, 2021, 7:17pm

Did you check the latest version of ROR?

Aditi · July 8, 2021, 4:36am

I have upgraded the ROR version to 1.31 but its seems SnakeYAML 1.29 version is recommended version with no known vulnerability as of now.

coutoPL · July 18, 2021, 6:27pm

here is ROR pre-build with upgraded SnakeYAML to 1.29.0

sscarduzio · July 19, 2021, 9:52am

did SnakeYAML fix that memory leak that costed us a lot of sweat to debug? We ended up downgrading to an older version back then.

coutoPL · July 19, 2021, 4:52pm

I seems that SnakeYAML > 1.25 doesn’t have this issue. To be sure I run profiler and a test script and I don’t see a leak in 1.29