[CVE] Update snakeyaml dependency (#4341) (#4347)

The package `org.yaml:snakeyaml` before version 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. Details at https://nvd.nist.gov/vuln/detail/CVE-2022-25857 Signed-off-by: Rabi Panda <[email protected]> (cherry picked from commit 4bccdbe) Co-authored-by: Rabi Panda <[email protected]>
opensearch-project · Aug 30, 2022 · c44d8e4 · c44d8e4
1 parent d4dd71c
commit c44d8e4
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Do not fail replica shard due to primary closure ([#4133](https://github.com/opensearch-project/OpenSearch/pull/4133))
 
 ### Security
+- CVE-2022-25857 org.yaml:snakeyaml DOS vulnerability ([#4341](https://github.com/opensearch-project/OpenSearch/pull/4341))
 
 ## [2.x]
 ### Added

diff --git a/buildSrc/version.properties b/buildSrc/version.properties
@@ -11,7 +11,7 @@ spatial4j         = 0.7
 jts               = 1.15.0
 jackson           = 2.13.3
 jackson_databind  = 2.13.3
-snakeyaml         = 1.26
+snakeyaml         = 1.31
 icu4j             = 70.1
 supercsv          = 2.4.0
 log4j             = 2.17.1

diff --git a/libs/x-content/licenses/snakeyaml-1.26.jar.sha1 b/libs/x-content/licenses/snakeyaml-1.26.jar.sha1
diff --git a/libs/x-content/licenses/snakeyaml-1.31.jar.sha1 b/libs/x-content/licenses/snakeyaml-1.31.jar.sha1
@@ -0,0 +1 @@
+cf26b7b05fef01e7bec00cb88ab4feeeba743e12