CVE-2022-1471

NameCVE-2022-1471
DescriptionSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
snakeyaml (PTS)buster1.23-1vulnerable
buster (security)1.23-1+deb10u1vulnerable
bullseye1.28-1vulnerable
bookworm, sid1.33-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
snakeyamlsource(unstable)(unfixed)

Notes

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

Search for package or bug name: Reporting problems