Owasp-Dependency-Checker list finding CVE-2017-18640 for snakeyaml-1.2.4 #1608
Labels
Comments
8 tasks
This was referenced Feb 10, 2021
This was referenced Apr 22, 2021
This was referenced Apr 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Liquibase Version:4.2.2 and earlier
Liquibase Integration & Version:All
Liquibase Extension(s) & Version: N/A
Database Vendor & Version:All
Operating System Type & Version:N/A
Description
CVE-2017-18640 issue on snakeyaml 1.24 that is packaged with Liquibase .zip, tar.gz and installer files.
Steps To Reproduce
Install Liquibase,
Verify that snakeyaml-1.24.jar file is in
<installdirectory>/libdirectoryActual Behavior
snakeyaml-1.24.jar is in lib directory
Expected/Desired Behavior
snakeyaml-1.27.jar is in the lib directory to alleviate issue with CVE-2017-18640
Additional Context
Add any other context about the problem here.
snakeyaml-1.26 does not have the issue but since we are moving up should move up to latest.
The text was updated successfully, but these errors were encountered: