SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Metrics
Affected Vendors & Products
References
History
Wed, 18 Sep 2024 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: Google
Published: 2022-12-01T10:47:07.203Z
Updated: 2024-09-17T13:52:47.976Z
Reserved: 2022-04-26T08:32:53.188Z
Link: CVE-2022-1471
Vulnrichment
Updated: 2024-08-03T00:03:06.269Z
NVD
Status : Modified
Published: 2022-12-01T11:15:10.553
Modified: 2024-06-21T19:15:21.740
Link: CVE-2022-1471
Redhat