Snakeyaml open source library used by IBM Db2® Graph is affected by vulnerability CVE-2022-1471 . The fix updates Snakeyaml to 2.0
CVEID:CVE-2022-1471
**DESCRIPTION:**SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
All platforms of the following IBM® Db2® Graph levels are affected:
Affected Product(s) | Version(s) |
---|---|
Db2 Graph | 1.0.0.592-1.0.0.1690 |
IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® Graph release containing the fix for these issues.
Product(s) | Fixed in Version(s) |
---|---|
Db2 Graph |
1774-amd64
1775-amd64
latest-amd64
1774-ppcle
1775-ppcle
latest-ppcle
1774-s390x
1775-s390x
latest-s390x
None
CPE | Name | Operator | Version |
---|---|---|---|
db2 for linux, unix and windows | eq | 11.5.8.0 |