SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Google
Published: 2022-12-01T10:47:07.203Z
Updated: 2023-04-25T16:48:44.288Z
Reserved: 2022-04-26T08:32:53.188Z
Link: CVE-2022-1471
JSON object: View
NVD Information
Status : Modified
Published: 2022-12-01T11:15:10.553
Modified: 2024-06-21T19:15:21.740
Link: CVE-2022-1471
JSON object: View
Redhat Information
No data.