Fork me on GitHub
#clj-yaml
<
2022-12-06
>
lread13:12:24

Current https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64573493 on CVE from Andrey, the SnakeYAML maintainer: > Won’t fix means that there is no problem. > Please read the issue - it is still under analysis/investigation. > It only affects those who take untrusted data from unknown source - no one has presented a valid use case so far. > Those who trust false positives may try to use the proposed solution - use SafeConstructor The clj-yaml lib uses the SafeConstructor by default and I added this https://github.com/clj-commons/clj-yaml/blob/master/doc/01-user-guide.adoc#unsafe a while back. From the clj-yaml side, I think we are good. As of this writing, as Andrey mentioned, https://nvd.nist.gov/vuln/detail/CVE-2022-1471. I'll keep an eye on this and see how it plays out.

gratitude 1