Home > Vulnerability Database > CVE-2022-1471

Mend.io Vulnerability Database

CVE-2022-1471

Good to know:

Date: December 1, 2022

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Language: Java

Severity Score

8.3

Related Resources (20)

Url: https://security.netapp.com/advisory/ntap-20230818-0015

Url: https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

Url: https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

Url: https://bitbucket.org/snakeyaml/snakeyaml

Url: https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-1471

Url: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

Url: https://security.netapp.com/advisory/ntap-20230818-0015/

Url: https://github.com/mbechler/marshalsec

Url: https://security.netapp.com/advisory/ntap-20240621-0006

Url: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

Url: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Url: http://www.openwall.com/lists/oss-security/2023/11/19/1

Url: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

Url: https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758

Url: https://security.netapp.com/advisory/ntap-20240621-0006/

Url: https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4

Url: https://access.redhat.com/security/cve/CVE-2022-1471

Url: http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

Url: https://www.mend.io/vulnerability-database/CVE-2022-1471

Severity Score

8.3

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version org.yaml:snakeyaml:2.0

Learn More

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-1471

Good to know:

Date: December 1, 2022

Language: Java

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?