-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Owasp-Dependency-Checker list finding CVE-2017-18640 for snakeyaml-1.2.4 #1608
Labels
Comments
8 tasks
This was referenced Feb 10, 2021
This was referenced Apr 22, 2021
This was referenced Apr 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Liquibase Version:4.2.2 and earlier
Liquibase Integration & Version:All
Liquibase Extension(s) & Version: N/A
Database Vendor & Version:All
Operating System Type & Version:N/A
Description
CVE-2017-18640 issue on snakeyaml 1.24 that is packaged with Liquibase .zip, tar.gz and installer files.
Steps To Reproduce
Install Liquibase,
Verify that snakeyaml-1.24.jar file is in
<installdirectory>/lib
directoryActual Behavior
snakeyaml-1.24.jar is in lib directory
Expected/Desired Behavior
snakeyaml-1.27.jar is in the lib directory to alleviate issue with CVE-2017-18640
Additional Context
Add any other context about the problem here.
snakeyaml-1.26 does not have the issue but since we are moving up should move up to latest.
The text was updated successfully, but these errors were encountered: