...
So we need to manually check each SnakeYaml use.
This is These are vulnerable:
new Yaml()
new Yaml(new org.yaml.snakeyaml.constructor.Constructor() [, ...])
This is not vulnerable:
new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor() [, ...])
If a different Constructor is passed as first parameter you need to check it manually.
Searching for "new yaml" in folio-org:
...
- vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
- vertx-web has been fixed since Vert.x 4.3.4
- Spring Framework has been fixed since spring-framework 5.3.4
- Spring Boot has been fixed since spring boot 2.1.15.RELEASE
- Testcontainers is vulnerable when ParsedDockerComposeFile is used with dynamic input.
If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.
...