CVE-2023-46302

Name of the Vulnerable Software and Affected Versions Apache Submarine versions 0.7.0 through 0.7.x

Description The issue is caused by a bug in the serialization against YAML, specifically due to the use of snakeyaml. Apache Submarine uses JAXRS to define REST endpoints and handles YAML requests through a YamlEntityProvider entity provider. The readFrom method in YamlUtils.java processes incoming YAML requests, which can lead to the issue. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Apache Submarine versions 0.7.0 through 0.7.x, upgrade to version 0.8.0 to fix the issue. As a temporary workaround for versions smaller than 0.8.0, consider cherry-picking PR and rebuilding the submarine-server image to fix this.