CVE-2022-1471: SnakeYaml Constructor Deserialization Remote Code Execution
(updated )
SnakeYaml’s Constructor class, which inherits from SafeConstructor, allows
any type be deserialized given the following line:
new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);
Types do not have to match the types of properties in the
target class. A ConstructorException is thrown, but only after a malicious
payload is deserialized.
References
- bitbucket.org/snakeyaml/snakeyaml
- bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758
- bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
- bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
- github.com/advisories/GHSA-mjmj-j48q-9wg2
- github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
- github.com/mbechler/marshalsec
- groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
- nvd.nist.gov/vuln/detail/CVE-2022-1471
- security.netapp.com/advisory/ntap-20230818-0015
- security.netapp.com/advisory/ntap-20240621-0006
- snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471
- www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Detect and mitigate CVE-2022-1471 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →