Lucene search

K
cvelistGoogleCVELIST:CVE-2022-1471
HistoryDec 01, 2022 - 10:47 a.m.

CVE-2022-1471 Remote Code execution in SnakeYAML

2022-12-0110:47:07
CWE-20
Google
www.cve.org

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

10 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.8%

SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml’s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SnakeYAML",
    "vendor": "SnakeYAML",
    "versions": [
      {
        "lessThanOrEqual": "2.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

10 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.8%