Describe the bug
Xray reports CVE-2022-1471 against org.yaml:snakeyaml 2.6. This CVE only affects SnakeYAML versions < 2.0 where the unsafe Constructor() class was the default. In 2.0+, SafeConstructor is the default and the vulnerability does not apply.
To Reproduce
Xray scan a software containing org.yaml:snakeyaml 2.6 and see CVE-2022-1471 reported. This CVE impacts SnakeYAML < 2.0 only. Version 2.6 is well above the fix threshold.
Expected behavior
CVE-2022-1471 should not be reported for SnakeYAML >= 2.0, as the vulnerability was resolved by making SafeConstructor the default in that version.
Versions
- Package: org.yaml:snakeyaml:2.6
- Vulnerable range per NVD: < 2.0
- Fix version: 2.0
Additional context
NVD advisory: GHSA-mjmj-j48q-9wg2
Describe the bug
Xray reports CVE-2022-1471 against org.yaml:snakeyaml 2.6. This CVE only affects SnakeYAML versions < 2.0 where the unsafe
Constructor()class was the default. In 2.0+,SafeConstructoris the default and the vulnerability does not apply.To Reproduce
Xray scan a software containing org.yaml:snakeyaml 2.6 and see CVE-2022-1471 reported. This CVE impacts SnakeYAML < 2.0 only. Version 2.6 is well above the fix threshold.
Expected behavior
CVE-2022-1471 should not be reported for SnakeYAML >= 2.0, as the vulnerability was resolved by making SafeConstructor the default in that version.
Versions
Additional context
NVD advisory: GHSA-mjmj-j48q-9wg2