CVE-2022-1471

NameCVE-2022-1471
DescriptionSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
snakeyaml (PTS)jessie, jessie (lts)1.12-2+deb8u1vulnerable
stretch (lts), stretch1.17-1+deb9u1vulnerable
buster (security), buster, buster (lts)1.23-1+deb10u1vulnerable
bullseye1.28-1+deb11u2vulnerable
sid, trixie, bookworm1.33-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
snakeyamlsource(unstable)(unfixed)unimportant

Notes

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
Search for package or bug name: Reporting problems