Vulnerabilities disclosed in SnakeYAML libraryIssue date: 06-01-2023
Affects versions: 15.1, 14.7
Security Issue ID
Affected Product Version(s)
15.1.4, 14.7.13 and previous releases.
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
- Base Score: HIGH (7.5)
- Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P
- Base Score: CRITICAL (9.8)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.14.