Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6169

Disable YAML deserialization in the YAML Configuration Extension

    XMLWordPrintable

Details

    Description

      CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

      Update the  YAML Configuration Extension so that it won't try to deserialize yaml to java classes.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24346 (7.4.z) WFCORE-6169 - Disable YAML deserialization in the YAML Configuration Extension

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              ehugonne1@redhat.com Emmanuel Hugonnet
              ehugonne1@redhat.com Emmanuel Hugonnet
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: