CVE-2023-46302

Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .<br /> <br /> Apache Submarine uses JAXRS to define REST endpoints. In order to<br /> handle YAML requests (using application/yaml content-type), it defines<br /> a YamlEntityProvider entity provider that will process all incoming<br /> YAML requests. In order to unmarshal the request, the readFrom method<br /> is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.<br /> <br /> We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.<br /> This issue affects Apache Submarine: from 0.7.0 before 0.8.0. Users are recommended to upgrade to version 0.8.0, which fixes this issue.<br /> If using the version smaller than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1054 and rebuild the submart-server image to fix this.<br /> <br />