You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<version>1.23</version> <!-- updating this breaks Java 6 compatibility -->
The vulnerability is for cases where the yaml file comes from an untrusted source. In case of the jmx_exporter you will certainly write and deploy the yaml yourself, so the CVE doesn't really apply here.
There are plans for providing a default release for Java >= 8 and a separate jdk6 release, because this CVE seems to pop up regularly in user's security scan, see #592
The current version in jmx_exporter is 1.2.3: https://github.com/prometheus/jmx_exporter/blob/master/collector/pom.xml#L32
The vulnerability in this version is https://nvd.nist.gov/vuln/detail/CVE-2017-18640
If you bump the version to snakeyaml 1.2.6 (or the latest 1.2.8), you can eliminate this vulnerability.
The text was updated successfully, but these errors were encountered: