CVE-2022-1471

Public on 2022-12-01
Modified on 2023-03-16
Description
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by a third party can lead to remote code execution. We recommend using SnakeYaml's SafeConstructor when parsing untrusted content to restrict deserialization.

The fix for CVE-2022-1471 changes the default behavior of SnakeYaml’s Constructor() class. This fix is not backward compatible and will break applications that rely on SnakeYaml to parse yaml. Amazon Linux will not apply the fix for CVE-2022-1471 at this time and recommends users of SnakeYaml transition to using the SafeConstructor class for any affected applications.
Severity
Important severity
Important
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core snakeyaml No Fix Planned
Amazon Linux 2023 snakeyaml No Fix Planned

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H