Vulnerabilities disclosed in SnakeYAML library

Issue date: 06-01-2023
Affects versions: 15.1, 14.7

Security Issue ID

SECURITY-397

Affected Product Version(s)

15.1.4, 14.7.13 and previous releases.

Severity

Critical

Description

CVE-2022-29599 suppress

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.14.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Vulnerabilities disclosed in SnakeYAML library