...
- vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
- vertx-web has been fixed since Vert.x 4.3.4
- Spring Framework has been fixed since spring-framework 5.3.4
- Spring Boot has been fixed since spring boot 2.1.15.RELEASE
- Testcontainers is vulnerable when ParsedDockerComposeFile is used with dynamic input.
- Liquibase is vulnerable when the Liquibase Hub Service (= fetching yaml file from external server) is used (StandardHubService.java and HttpClient.java), all other SnakeYaml usages are safe because they use SafeConstructor or only do serialization (not deserialization): "new yaml" search
- Karate has always been safe: JsonUtils.java
If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.
...