Remote code execution

2022-11-0419:15:00

PRIOn knowledge base

www.prio-n.com

remote code execution

spring tools 4

eclipse

vscode extensions

snakeyaml library

yaml editing

nvd

9.7 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.8%

JSON

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.

CPENameOperatorVersion
bosh_editorge1.0.0
bosh_editorlt1.40.0
cloudfoundry_manifest_yml_supportge1.0.0
cloudfoundry_manifest_yml_supportlt1.40.0
concourse_ci_pipeline_editorge1.0.0
concourse_ci_pipeline_editorlt1.40.0
spring_boot_toolsge1.0.0
spring_boot_toolslt1.40.0
spring_toolsge4.0.0
spring_toolslt4.16.1

Name	Operator	Version
bosh_editor	ge	1.0.0
bosh_editor	lt	1.40.0
cloudfoundry_manifest_yml_support	ge	1.0.0
cloudfoundry_manifest_yml_support	lt	1.40.0
concourse_ci_pipeline_editor	ge	1.0.0
concourse_ci_pipeline_editor	lt	1.40.0
spring_boot_tools	ge	1.0.0
spring_boot_tools	lt	1.40.0
spring_tools	ge	4.0.0
spring_tools	lt	4.16.1

References

tanzu.vmware.com/security/cve-2022-31691