[JSFIELD-35] Major vulnerability in maven:org.yaml:snakeyaml:1.33 Created: 18/Apr/23  Updated: 24/Jan/24  Resolved: 25/Sep/23

Status: Closed
Project: Java Script UI (App and Dialog Fields)
Component/s: None
Affects Version/s: 2.0
Fix Version/s: 2.0.2

Type: Improvement Priority: High
Reporter: Michael Evelt Assignee: Teresa Miyar
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
Template:
Acceptance criteria:
Empty
Date of First Response:

 Description   

The current version of the JSFIELD moduleĀ 

<dependency>
  <groupId>info.magnolia.ui</groupId>
  <artifactId>magnolia-ui-framework-javascript</artifactId>
  <version>2.0</version>
</dependency>

is dependent on maven:org.yaml:snakeyaml:1.33

This dependency contains 1 medium and 1 major severity security issue and should be replaced:
https://devhub.checkmarx.com/cve-details/CVE-2022-41854/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea&utm_term=maven

https://devhub.checkmarx.com/cve-details/CVE-2022-1471/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea&utm_term=maven



 Comments   
Comment by Teresa Miyar [ 18/Apr/23 ]

Hi,

Thank you for informing us, we will update it asap.

Comment by Teresa Miyar [ 18/Apr/23 ]

Hi,

It is a known issue that affects core, it is being handled already https://jira.magnolia-cms.com/browse/MAGNOLIA-8879, we will update the dependency to Magnolia once it is solved

Comment by Michael Evelt [ 18/Apr/23 ]

Perfect!

Could you inform me, as soon as the change is published, since I have no reading access to the referenced ticket.

Comment by Teresa Miyar [ 18/Apr/23 ]

Yes, also, they have confirmed that Magnolia is not affected by any of those CVE's

Comment by Michael Evelt [ 18/Apr/23 ]

Hi,
that is good to know.

Comment by Teresa Miyar [ 17/May/23 ]

Hi,

Magnolia 6.2.34 is out with the fix.

Generated at Mon Feb 12 02:16:28 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.