1. Home
  2. Vulnerabilities
  3. CVE-2022-1471

CVE-2022-1471

CVSS v3.1 9.8 (Critical)
98% Progress
EPSS 2.10 % (89th)
2.10% Progress
Affected Products 1
Advisories 5
NVD Status Modified
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Weaknesses
CWE-20
Improper Input Validation
CWE-502
Deserialization of Untrusted Data
Related CVEs
CVE Status
PUBLISHED
NVD Status
Modified
CNA
Google Inc.
Published Date
2022-12-01 11:15:10
(21 months ago)
Updated Date
2024-06-21 19:15:21
(2 months ago)

Affected Products

Snakeyaml Project

Configuration #1

    CPE23 From Up To
  Snakeyaml Project Snakeyaml prior 2.0 version cpe:2.3:a:snakeyaml_project:snakeyaml < 2.0