[JSFIELD-35] Major vulnerability in maven:org.yaml:snakeyaml:1.33 Created: 18/Apr/23 Updated: 24/Jan/24 Resolved: 25/Sep/23 |
|
| Status: | Closed |
| Project: | Java Script UI (App and Dialog Fields) |
| Component/s: | None |
| Affects Version/s: | 2.0 |
| Fix Version/s: | 2.0.2 |
| Type: | Improvement | Priority: | High |
| Reporter: | Michael Evelt | Assignee: | Teresa Miyar |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: | |||||
| Acceptance criteria: |
Empty
|
||||
| Date of First Response: | |||||
| Description |
|
The current version of the JSFIELD moduleĀ <dependency> <groupId>info.magnolia.ui</groupId> <artifactId>magnolia-ui-framework-javascript</artifactId> <version>2.0</version> </dependency> is dependent on maven:org.yaml:snakeyaml:1.33 This dependency contains 1 medium and 1 major severity security issue and should be replaced: |
| Comments |
| Comment by Teresa Miyar [ 18/Apr/23 ] |
|
Hi, Thank you for informing us, we will update it asap. |
| Comment by Teresa Miyar [ 18/Apr/23 ] |
|
Hi, It is a known issue that affects core, it is being handled already https://jira.magnolia-cms.com/browse/MAGNOLIA-8879, we will update the dependency to Magnolia once it is solved |
| Comment by Michael Evelt [ 18/Apr/23 ] |
|
Perfect! Could you inform me, as soon as the change is published, since I have no reading access to the referenced ticket. |
| Comment by Teresa Miyar [ 18/Apr/23 ] |
|
Yes, also, they have confirmed that Magnolia is not affected by any of those CVE's |
| Comment by Michael Evelt [ 18/Apr/23 ] |
|
Hi, |
| Comment by Teresa Miyar [ 17/May/23 ] |
|
Hi, Magnolia 6.2.34 is out with the fix. |