Spring Boot provides transitive vulnerable dependency

Question

I created a Spring Boot project with start.spring and I added a Spring Boot Starter JDBC to it. Unfortunately, in this piece of code appears a yellow (Intellij) error.

Here is the "bad" code:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-jdbc</artifactId>
    <version>3.1.3</version>
</dependency>

Here is the error:

 Provides transitive vulnerable dependency org.yaml:snakeyaml:1.33 CVE-2022-41854 6.5 Out-of-bounds Write vulnerability with medium severity found CVE-2022-1471 9.8 Deserialization of Untrusted Data vulnerability with high severity found  Results powered by Checkmarx(c) 

You know what is this? Why this error appears in an empty Spring Boot project?

Answer 1

This is happening due to versioning issues of spring jdbc version 3.1.3 with snakeyaml version.

You need to add a dependency to SnakeYAML 1.33 in your project. That version should then take precedence over Spring Boot's transitive dependency.

However, SnakeYAML 1.33 still has a vulnerability. You can use 2.2 in that case.

If neither of them work, you can simply exclude snakeyaml from the dependencies list as:

<exclusions>
    <exclusion>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
    </exclusion>
</exclusions>

corresponding to the above mentioned depenedency for spring-boot-starter-jdbc

Hope this helps.

Answer 2

The deserialization vulnerability is fixed in Snakeyaml 2.0. Spring-boot 3 since 3.0.5 is compatible with 2.0 but does not include it by default because their policy is not to upgrade major version dependencies in maintenance releases due to the possibility of breaking changes.

Maven users can manually upgrade by setting the version number in the <properties> section of pom.xml:

<properties>
  <snakeyaml.version>2.0</snakeyaml.version>
</properties>

Gradle users can add the following to gradle.properties:

snakeyaml.version=2.0