CVE-2022-1471
Public on 2022-12-01
Modified on 2023-03-16
Description
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by a third party can lead to remote code execution. We recommend using SnakeYaml's SafeConstructor when parsing untrusted content to restrict deserialization.
The fix for CVE-2022-1471 changes the default behavior of SnakeYaml’s Constructor() class. This fix is not backward compatible and will break applications that rely on SnakeYaml to parse yaml. Amazon Linux will not apply the fix for CVE-2022-1471 at this time and recommends users of SnakeYaml transition to using the SafeConstructor class for any affected applications.
The fix for CVE-2022-1471 changes the default behavior of SnakeYaml’s Constructor() class. This fix is not backward compatible and will break applications that rely on SnakeYaml to parse yaml. Amazon Linux will not apply the fix for CVE-2022-1471 at this time and recommends users of SnakeYaml transition to using the SafeConstructor class for any affected applications.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | snakeyaml | No Fix Planned | ||
| Amazon Linux 2023 | snakeyaml | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.8 | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 8.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |