CVE-2022-1471: Deserialization of Untrusted Data

December 1, 2022 (updated November 19, 2023)

SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml’s SafeConsturctor when parsing untrusted content to restrict deserialization.

References

bitbucket.org/snakeyaml/snakeyaml/wiki/Changes
github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
nvd.nist.gov/vuln/detail/CVE-2022-1471

Detect and mitigate CVE-2022-1471 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →