SnakeYamlโs Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYamlโs SafeConsturctor when parsing untrusted content to restrict deserialization.
CVEID:CVE-2022-1471
**DESCRIPTION:**SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
Affected Product(s) | Version(s) |
---|---|
ICP - IBM Match 360 | All |
IBM Match 360 is vulnerable to SnakeYamlโs Constructor() class that not restrict types which can be instantiated during deserialization (CVE-2022-1471). Upgrade to Match 360 version 4.7.0 or higher will resolve the vulnerability.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for data | eq | 4. |