We have released version 3.6.1 of Snowplow’s Enrich, fixing a security vulnerability in the YAUAA library.
The Snowplow YAUAA enrichment is used to analyze user agent information sent by the browser. In 3.6.0, we added support for a new feature, called Client Hints, which allows website operators to collect more detailed user agent data.
Last week, a vulnerability was discovered in the YAUAA library that powers the enrichment, which can allow attackers to exploit the client hints feature.
While Enrich cannot be caused to crash in this way (because we catch the error), we are releasing a new version with upgraded YAUAA library in which this issue has been addressed. We recommend users update to 3.6.1 as soon as possible, to be on the safe side.
If you are already running a recent version of Enrich, all you need to do is pull the newer version of the docker image:
docker pull snowplow/snowplow-enrich-pubsub:3.6.1
docker pull snowplow/snowplow-enrich-kinesis:3.6.1
docker pull snowplow/snowplow-enrich-kafka:3.6.1
Check out the Enrich documentation for the full guide on running and configuring the apps.