It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load()
in YamlProvider.
[
{
"product": "resteasy",
"vendor": "Red Hat, Inc.",
"versions": [
{
"status": "affected",
"version": "after 3.0.22"
},
{
"status": "affected",
"version": "after 3.1.2"
}
]
}
]