Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
26.1.2.Final
-
None
-
---
-
---
Description
SnakeYAML is vulnerable to remote code execution (RCE) when used in an application to parse untrusted user-supplied YAML files. A remote attacker could craft a malicious YAML file that when deserialized allows arbitrary command execution on the target system.
The above fixes is available with the snakeyaml-1.32.jar
As of now wildfly bundle the snakeyaml-1.29.jar, can be seen in following location
wildfly-26.1.2.Final\modules\system\layers\base\org\yaml\snakeyaml\main
wildfly-26.1.3.Final\modules\system\layers\base\org\yaml\snakeyaml\main
We need to bundle the latest snakeyaml jar, which is snakeyaml-1.32.jarĀ