VDB
DEBIAN-CVE-2022-1471
DEBIAN-CVE-2022-1471
PUBLISHED
CVSS 9.800000190734863 CRITICAL
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | snakeyaml | 2.5+ds-1~exp0, 0, 2.0+ds |
| Debian:13 | snakeyaml | 2.4+ds-1~exp0, 2.5+ds-1, 2.5+ds-1~exp0 |
| Debian:11 | snakeyaml | 1.33-2, 2.5+ds-1~exp0, 1.33-1 |
| Debian:12 | snakeyaml | 0, 1.33-2, 2.0+ds |
Exploit Intelligence
- Sentinel demo: transitive snakeyaml CVE-2022-1471 via Spring Boot + exploitable code pattern (github-poc-repo)
- Sentinel demo: transitive snakeyaml CVE-2022-1471 via Spring Boot + exploitable code pattern (github-poc)
- Code for veracode blog (github-poc-repo)
- SnakeYAML-CVE-2022-1471-POC (github-poc-repo)
- SnakeYAML CVE-2022-1471 exploit payload for demo (github-poc-repo)
- attacker (github-poc-repo)
- attacker (github-poc)
- SnakeYAML CVE-2022-1471 exploit payload for demo (github-poc)
- SnakeYAML-CVE-2022-1471-POC (github-poc)
- Code for veracode blog (github-poc)
…and 13 more exploits
Timeline
- Dec 1, 2022 CVE Published
- Apr 28, 2026 CVE Updated