SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
History

Wed, 18 Sep 2024 08:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published: 2022-12-01T10:47:07.203Z

Updated: 2024-09-17T13:52:47.976Z

Reserved: 2022-04-26T08:32:53.188Z

Link: CVE-2022-1471

cve-icon Vulnrichment

Updated: 2024-08-03T00:03:06.269Z

cve-icon NVD

Status : Modified

Published: 2022-12-01T11:15:10.553

Modified: 2024-11-21T06:40:47.313

Link: CVE-2022-1471

cve-icon Redhat

Severity : Important

Publid Date: 2022-10-13T00:00:00Z

Links: CVE-2022-1471 - Bugzilla