[FOLIO-3734] mod-consortia: snakeyaml 2.0 fixing CVE-2022-1471, Spring Boot 3.0.4 Created: 03/Mar/23 Updated: 06/Mar/23 Resolved: 06/Mar/23 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Thunderjet |
| RCA Group: | Related dependency upgrade |
| Description |
|
In https://github.com/folio-org/mod-consortia upgrade snakeyaml from 1.33 to 2.0 fixing Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 Spring Boot >= 3.0.3 is compatible with snakeyaml 2.x: https://github.com/spring-projects/spring-boot/issues/34405 |