vulnerable dependency maven:org.yaml:snakeyaml

Question

I am periodically checking vulnerabilities on my pom.xml and generally fix these problems by updating the dependency versions. However, I get the following error:

Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.30 CVE-2022-25857 7.5 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2022-38752 6.5 Out-of-bounds Write vulnerability with medium severity found CVE-2022-38749 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38750 5.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38751 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-41854 6.5 Stack-based Buffer Overflow vulnerability with medium severity found CVE-2022-1471 9.8 Deserialization of Untrusted Data vulnerability with high severity found
Results powered by Checkmarx(c)

I I try to add <version> to the <artifactId>spring-boot-starter-web</artifactId> in my pom.xml, but it does not make any sense.

So, how can I fix this problem properly? I use IntelliJ default features to fix this kind of problems, but should I do any an extra useful plugins etc.?

Answer 1

Unfortunately, Spring Boot 2.7.x still uses an older, vulnerable version of SnakeYAML (1.30). They still have not upgraded it to the last version (1.33). Spring Boot 3.0.0 does depend on version 1.33.

Assuming you cannot upgrade to Spring Boot 3.0.0 yet, the only thing that should work is to add a dependency to SnakeYAML 1.33 in your project. That version should then take precedence over Spring Boot's transitive dependency.

However, SnakeYAML 1.33 still has a vulnerability. Since that is the last version (SnakeYAML 2.x is not compatible with 1.x), that's something you can't get rid off until the SnakeYAML team fixes that.

Edit: with SnakeYAML 2.x, I meant this one. SnakeYAML 1.33 recently had a follow-up 2.0 version which is a different one. Compatibility between 1.33 and 2.0 is still not 100%, but Spring Boot 2.7.10+ and Spring Boot 3.x should support both.