SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
References
Configurations
History
21 Nov 2024, 06:40
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html - | |
References | () http://www.openwall.com/lists/oss-security/2023/11/19/1 - | |
References | () https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 - Exploit, Third Party Advisory | |
References | () https://github.com/mbechler/marshalsec - Exploit, Third Party Advisory | |
References | () https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc - | |
References | () https://security.netapp.com/advisory/ntap-20230818-0015/ - | |
References | () https://security.netapp.com/advisory/ntap-20240621-0006/ - | |
References | () https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.3 |
21 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Nov 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Oct 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Aug 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2022-12-01 11:15
Updated : 2024-11-21 06:40
NVD link : CVE-2022-1471
Mitre link : CVE-2022-1471
CVE.ORG link : CVE-2022-1471
JSON object : View
Products Affected
snakeyaml_project
- snakeyaml