CVE-2022-1471

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Configurations

Configuration 1 (hide)

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*

History

19 Nov 2023, 15:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2023/11/19/1 -

13 Oct 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html -

18 Aug 2023, 14:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230818-0015/ -

25 Apr 2023, 17:15

Type Values Removed Values Added
References
  • (MISC) https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc -
Summary SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

21 Mar 2023, 13:17

Type Values Removed Values Added
CPE cpe:2.3:a:snakeyaml_project:snakeyaml:1.30:*:*:*:*:*:*:* cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*

11 Feb 2023, 17:42

Type Values Removed Values Added
References (MISC) https://github.com/mbechler/marshalsec - (MISC) https://github.com/mbechler/marshalsec - Exploit, Third Party Advisory
References (MISC) https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 - (MISC) https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 - Issue Tracking, Third Party Advisory
References (MISC) https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true - (MISC) https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true - Exploit, Third Party Advisory

19 Dec 2022, 11:15

Type Values Removed Values Added
References
  • (MISC) https://github.com/mbechler/marshalsec -
  • (MISC) https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 -
  • (MISC) https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true -

06 Dec 2022, 16:46

Type Values Removed Values Added
CWE CWE-502
First Time Snakeyaml Project snakeyaml
Snakeyaml Project
References (MISC) https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 - (MISC) https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:snakeyaml_project:snakeyaml:1.30:*:*:*:*:*:*:*

01 Dec 2022, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-12-01 11:15

Updated : 2023-12-10 14:48


NVD link : CVE-2022-1471

Mitre link : CVE-2022-1471

CVE.ORG link : CVE-2022-1471


JSON object : View

Products Affected

snakeyaml_project

  • snakeyaml
CWE
CWE-502

Deserialization of Untrusted Data

CWE-20

Improper Input Validation