vulnerable dependency maven:org.yaml:snakeyaml

Question

I am periodically checking vulnerabilities on my pom.xml and generally fix these problems by updating the dependency versions. However, I get the following error:

Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.30 CVE-2022-25857 7.5 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2022-38752 6.5 Out-of-bounds Write vulnerability with medium severity found CVE-2022-38749 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38750 5.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38751 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-41854 6.5 Stack-based Buffer Overflow vulnerability with medium severity found CVE-2022-1471 9.8 Deserialization of Untrusted Data vulnerability with high severity found
Results powered by Checkmarx(c)

I I try to add <version> to the <artifactId>spring-boot-starter-web</artifactId> in my pom.xml, but it does not make any sense.

So, how can I fix this problem properly? I use IntelliJ default features to fix this kind of problems, but should I do any an extra useful plugins etc.?

Does this answer your question? upgrade to SnakeYaml 1.31 in spring-boot-starter-parent 2.7.3 — Pino, Commented Sep 6, 2023 at 16:38

Rob Spoor · Accepted Answer · 2023-03-24 07:52:52Z

21

Unfortunately, Spring Boot 2.7.x still uses an older, vulnerable version of SnakeYAML (1.30). They still have not upgraded it to the last version (1.33). Spring Boot 3.0.0 does depend on version 1.33.

Assuming you cannot upgrade to Spring Boot 3.0.0 yet, the only thing that should work is to add a dependency to SnakeYAML 1.33 in your project. That version should then take precedence over Spring Boot's transitive dependency.

However, SnakeYAML 1.33 still has a vulnerability. Since that is the last version (SnakeYAML 2.x is not compatible with 1.x), that's something you can't get rid off until the SnakeYAML team fixes that.

Edit: with SnakeYAML 2.x, I meant this one. SnakeYAML 1.33 recently had a follow-up 2.0 version which is a different one. Compatibility between 1.33 and 2.0 is still not 100%, but Spring Boot 2.7.10+ and Spring Boot 3.x should support both.

edited Mar 24, 2023 at 7:52

answered Dec 13, 2022 at 8:24

Rob Spoor

8,2881 gold badge25 silver badges26 bronze badges

1. There is no <version> for <artifactId>spring-boot-starter-web</artifactId> by default I think. Then, should we use <version> tag and set? Or should we keep it empty so that it uses the last version? I am just asking for spring-boot-starter-web, normally I try to set version in case new versions may cause incompatibility problems.
– Jack
Commented Dec 13, 2022 at 9:13
2. There was also some approaches by removing dependency and adding them on pom.xml. That was probably removing built in dependencies and then adding them separately. Is it also a proper way for some vulnerability situations?
– Jack
Commented Dec 13, 2022 at 9:15
1. The version for the starter probably comes from the parent you specified in your pom.xml, or otherwise from a dependency management section. You can leave that version out. For the SnakeYAML dependency you should set the version, as otherwise you'll still use the Spring Boot provided version.
– Rob Spoor
Commented Dec 13, 2022 at 10:46
2. you can exclude dependencies of your dependencies, but if you need those anyway, including them as separate dependencies is easier. Direct dependencies always take precedence over transitive dependencies.
– Rob Spoor
Commented Dec 13, 2022 at 10:47
1

THe latest version has a vulnerability too (mvnrepository.com/artifact/org.yaml/snakeyaml) - I'll try to use 2.0 and see if it works with Spring Boot 3.0.4
– Stefan Falk
Commented Mar 21, 2023 at 9:04

| Show 1 more comment

Gaetano · Accepted Answer · 2023-09-06 15:58:36Z

15

SnakeYAML 2.2 version is compatible with SpringBoot 3.1.3.

<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>2.2</version>
    </dependency>

Copy and paste in your pom.xml and re-run your application.

answered Sep 6, 2023 at 15:58

Gaetano

1511 silver badge2 bronze badges

Add a comment |

aiktb · Accepted Answer · 2023-01-06 04:40:40Z

11

Rob Spoor has already explained why, this warning can be eliminated by excluding dependencies:

<exclusions>
    <exclusion>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
    </exclusion>
</exclusions>

Add the above code to the corresponding <dependency> label.

edited Jan 6, 2023 at 4:40

answered Jan 6, 2023 at 4:39

aiktb

1216 bronze badges

2

This dependency is not used by Spring Boot to parse application.yaml ?
– Tristan
Commented May 9, 2023 at 15:22
And we need to add implementation group: 'org.yaml', name: 'snakeyaml', version: '2.1'
– Erick Jhorman Romero
Commented Aug 16, 2023 at 14:50

Add a comment |

Martin Maťovčík · Accepted Answer · 2023-05-18 15:29:28Z

I had the same warning in Springboot 3.0.6. It was working properly but it annoyed me a lot to see a huge yellow piece of code in pom.xml. I overcome this issue by adding exclusions to the code as was mentioned above.

Code with the warning:

<dependency>
  <artifactId>spring-boot-starter-data-mongodb</artifactId>
  <groupId>org.springframework.boot</groupId>
</dependency>

This is the working solution:

<dependency>
  <artifactId>spring-boot-starter-data-mongodb</artifactId>
  <groupId>org.springframework.boot</groupId>
  <exclusions>
    <exclusion>
      <artifactId>snakeyaml</artifactId>
      <groupId>org.yaml</groupId>
    </exclusion>
  </exclusions>
</dependency>

Yadnyesh Desai · Accepted Answer · 2023-06-05 19:43:40Z

5

You need to update the SnakeYAML version to 2.0. To do this, add the below code in pom.xml and re-run your application.

<dependency>
    <groupId>org.yaml</groupId>
    <artifactId>snakeyaml</artifactId>
    <version>2.0</version>
</dependency>

answered Jun 5, 2023 at 19:43

Yadnyesh Desai

511 silver badge1 bronze badge

2.0 isn't compatible with Spring Boot at least 3.1.0
– Eljah
Commented Jun 10, 2023 at 14:36
1

Thanks Eljah, yes we need Spring Boot version 3.1.0 for this to work.
– Yadnyesh Desai
Commented Jun 11, 2023 at 17:18

Add a comment |

Matthias Wiedemann · Accepted Answer · 2023-10-21 15:21:39Z

When you have a maven setup, where spring-boot is your parent, you can also set the snakeyaml.version property to override its version:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>example.com</groupId>
    <artifactId>foo</artifactId>
    <version>1.13-SNAPSHOT</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.4</version>
        <relativePath />
    </parent>

    <properties>
        <snakeyaml.version>2.2</snakeyaml.version>
    </properties>
...

Collectives™ on Stack Overflow

vulnerable dependency maven:org.yaml:snakeyaml

6 Answers 6

Not the answer you're looking for? Browse other questions tagged
java
spring-boot
maven
dependencies
pom.xml
or ask your own question.

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Not the answer you're looking for? Browse other questions tagged javaspring-bootmavendependenciespom.xml or ask your own question.

Linked

Related

Not the answer you're looking for? Browse other questions tagged
java
spring-boot
maven
dependencies
pom.xml
or ask your own question.