ByteOS Network

NVD Vulnerability Details :

CVE-2022-1471

Modified

Source-cve-coordination@google.com

Published At-01 Dec, 2022 | 11:15

Updated At-18 Jun, 2025 | 09:15

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Type: Primary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CPE Matches

snakeyaml_project>>snakeyaml>>Versions before 2.0(exclusive)

cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-20	Secondary	cve-coordination@google.com
CWE-502	Primary	nvd@nist.gov

CWE ID: CWE-20

Type: Secondary

Source: cve-coordination@google.com

CWE ID: CWE-502

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html	cve-coordination@google.com	N/A
http://www.openwall.com/lists/oss-security/2023/11/19/1	cve-coordination@google.com	N/A
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479	cve-coordination@google.com	Issue Tracking Third Party Advisory
https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html	cve-coordination@google.com	N/A
https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2	cve-coordination@google.com	Exploit Third Party Advisory
https://github.com/mbechler/marshalsec	cve-coordination@google.com	Exploit Third Party Advisory
https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc	cve-coordination@google.com	N/A
https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c	cve-coordination@google.com	N/A
https://security.netapp.com/advisory/ntap-20230818-0015/	cve-coordination@google.com	N/A
https://security.netapp.com/advisory/ntap-20240621-0006/	cve-coordination@google.com	N/A
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true	cve-coordination@google.com	Exploit Third Party Advisory
http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html	af854a3a-2127-422b-91ae-364da2661108	N/A
http://www.openwall.com/lists/oss-security/2023/11/19/1	af854a3a-2127-422b-91ae-364da2661108	N/A
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479	af854a3a-2127-422b-91ae-364da2661108	Issue Tracking Third Party Advisory
https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2	af854a3a-2127-422b-91ae-364da2661108	Exploit Third Party Advisory
https://github.com/mbechler/marshalsec	af854a3a-2127-422b-91ae-364da2661108	Exploit Third Party Advisory
https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc	af854a3a-2127-422b-91ae-364da2661108	N/A
https://security.netapp.com/advisory/ntap-20230818-0015/	af854a3a-2127-422b-91ae-364da2661108	N/A
https://security.netapp.com/advisory/ntap-20240621-0006/	af854a3a-2127-422b-91ae-364da2661108	N/A
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true	af854a3a-2127-422b-91ae-364da2661108	Exploit Third Party Advisory