...
new Yaml(new org.yaml.snakeyaml.constructor.Constructor() [, ...])
This is These are not vulnerable:
new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor() [, ...])
new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor(new LoaderOptions()) [, ...])
If a different Constructor is passed as first parameter you need to check it manually.
...
- vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
- vertx-web has been fixed since Vert.x 4.3.4
- Spring Framework has been fixed since spring-framework 5.3.4
- Spring Boot has been fixed since spring boot 2.1.15.RELEASE
- Swagger-parser is not affected because it uses SafeConstructor: https://github.com/swagger-api/swagger-core/issues/4323#issuecomment-1351815336
- Testcontainers is vulnerable when ParsedDockerComposeFile is used with dynamic input.
- Liquibase is vulnerable when the Liquibase Hub Service (= fetching yaml file from external server) is used (StandardHubService.java and HttpClient.java), all other SnakeYaml usages are safe because they use SafeConstructor or only do serialization (not deserialization): "new yaml" search
- Karate has always been safe: JsonUtils.java
- Micronaut is not affected because it uses SafeConstructor: https://github.com/micronaut-projects/micronaut-core/blob/3.8.x/src/main/docs/guide/appendix/breaks.adoc#387
If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.
...