Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6169

Disable YAML deserialization in the YAML Configuration Extension

    XMLWordPrintable

Details

    Description

      CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

      Update the  YAML Configuration Extension so that it won't try to deserialize yaml to java classes.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. JBEAP-24346 (7.4.z) WFCORE-6169 - Disable YAML deserialization in the YAML Configuration Extension

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: WFCORE

              People

                ehugonne1@redhat.com Emmanuel Hugonnet
                ehugonne1@redhat.com Emmanuel Hugonnet
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: