<p>Upgrade <code>org.yaml:snakeyaml</code> to version 2.0 or higher.</p>

Arbitrary Code Execution Affecting org.yaml:snakeyaml package, versions [0,2.0)

Snyk CVSS

Attack Complexity High

Privileges Required High

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.81% (82^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGYAML-3152153
published 8 Dec 2022
disclosed 1 Dec 2022
credit Justin Taft, securisec

Report a new vulnerability Found a mistake?

Introduced: 1 Dec 2022

CVE-2022-1471 Open this link in a new tab CWE-20 Open this link in a new tab

How to fix?

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.