Keycloak 20.0.1 - CVE-2022-1471 from transitive dependency on SnakeYAML
145 views
Skip to first unread message
Padmanabha Bhat
Apr 6, 2023, 7:10:07 AM4/6/23
to Keycloak User
Hi, I am looking at resolving CVE-2022-1471 in forked branch of Keycloak 20.0.1. I am able to resolve the issue by adding an explicit dependency on SnakeYAML 2.0. I have done an additional change to remove SnakeYAML dependency from com.github.ua-parser:uap-java and by updating the uap-java to 1.5.4
The change seems to be working based on my testing so far. If you know a use case where this might cause an issue, I would like to understand that.
Regards,
Padmanabha Bhat
Reply all
Reply to author
Forward
0 new messages