Vulnerabilities disclosed in SnakeYAML library

Issue date: 06-01-2023
Affects versions: 15.1, 14.7

Security Issue ID

SECURITY-397

Affected Product Version(s)

15.1.4, 14.7.13 and previous releases.

Severity

Critical

Description

CVE-2022-29599 suppress

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVSSv2:

Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3:

Base Score: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.0, 14.7.14.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Vulnerabilities disclosed in SnakeYAML library