Camunda Spring Boot Starter 7.18.0 Exposes Critical 8.3 CVSS Vulnerability in Production Dependency

A critical vulnerability with a CVSS score of 8.3 has been flagged as directly reachable within the widely used Camunda BPM Spring Boot Starter library. The security scan for version 7.18.0 reveals a total of 12 vulnerabilities, with the most severe stemming from a transitive dependency on the snakeyaml library. This specific flaw, CVE-2022-1471, is not only rated as High severity but is also marked with a 93.8% EPSS score and a 'Functional' exploit maturity, indicating a high probability of active exploitation. The finding is particularly alarming because the vulnerable code path is identified as 'reachable' within the application's runtime, meaning the exploit surface is not just theoretical but directly accessible to potential attackers.

The vulnerable library, `camunda-bpm-spring-boot-starter-7.18.0.jar`, is a core component for integrating the Camunda workflow engine with Spring Boot applications. The scan shows the flaw originates from `snakeyaml-1.33.jar`, a library for parsing YAML configuration files, which is bundled as a transitive dependency. The report explicitly states there is no remediation available ('Fixed in: N/A') for this version of the starter, leaving developers with a significant security gap. The presence of multiple other vulnerabilities, including CVE-2023-20883, compounds the risk profile for any system relying on this specific build artifact.

This situation places immediate pressure on development and security teams using Camunda 7.18.0 in production Spring Boot environments. The reachable nature of the vulnerability means any application endpoint that processes YAML configuration through the Camunda stack could be a potential entry point for remote code execution. Organizations must assess their exposure, scrutinize their dependency trees, and urgently plan for an upgrade path or implement stringent network-level controls to mitigate the risk while a patched version is awaited. The high EPSS percentage signals that automated attacks targeting this weakness are likely already in circulation.