CVE-2022-1471

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Configurations

Configuration 1 (hide)

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*

History

21 Jun 2024, 19:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240621-0006/ -

19 Nov 2023, 15:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2023/11/19/1 -

13 Oct 2023, 16:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html -

18 Aug 2023, 14:15

Type Values Removed Values Added
References
  • (MISC) https://security.netapp.com/advisory/ntap-20230818-0015/ -

Information

Published : 2022-12-01 11:15

Updated : 2024-06-21 19:15


NVD link : CVE-2022-1471

Mitre link : CVE-2022-1471

CVE.ORG link : CVE-2022-1471


JSON object : View

Products Affected

snakeyaml_project

  • snakeyaml
CWE
CWE-502

Deserialization of Untrusted Data

CWE-20

Improper Input Validation