Exploit Report

Computer Security And Bug Information


CVE Title
Published Date2023-11-20T09:15Z
Modified Date2023-11-20T15:04Z
DescriptionApache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 . Apache Submarine uses JAXRS to define REST endpoints. In order to handle YAML requests (using application/yaml content-type), it defines a YamlEntityProvider entity provider that will process all incoming YAML requests. In order to unmarshal the request, the readFrom method is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`. We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`. This issue affects Apache Submarine: from 0.7.0 before 0.8.0. Users are recommended to upgrade to version 0.8.0, which fixes this issue. If using the version smaller than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1054 and rebuild the submart-server image to fix this.
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites.
Reference URLhttps://issues.apache.org/jira/browse/SUBMARINE-1371
Reference Description https://issues.apache.org/jira/browse/SUBMARINE-1371
Reference URLhttps://github.com/apache/submarine/pull/1054
Reference Description https://github.com/apache/submarine/pull/1054
Reference URLhttps://lists.apache.org/thread/zf0wppzh239j4h131hm1dbswfnztxrr5
Reference Description https://lists.apache.org/thread/zf0wppzh239j4h131hm1dbswfnztxrr5
  • No CVSS data for this CVE

This site's data is aggregated programmatically and provided "as is" without any representations or warranties, express or implied. Exploit.report is not affiliated with the The MITRE Corporation, U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), or US government in any way. CVE and the CVE logo are registered trademarks of The MITRE Corporation

© 2022 Exploit.Report | Data | Contact | Privacy Policy | Articles