CVE-2022-1471
Severity
9.8CRITICAL
EPSS
93.8%
top 0.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 1
Latest updateApr 15
Description
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5
Affected Packages4 packages
🔴Vulnerability Details
5OSV▶
CVE-2022-1471: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization↗2022-12-01
🔍Detection Rules
10Suricata▶
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1↗2023-12-12
Suricata▶
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1↗2023-12-12
Suricata▶
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1↗2023-12-12
Suricata▶
ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2↗2023-12-12
Suricata▶
ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2↗2023-12-12
📋Vendor Advisories
7Oracle
▶
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (SnakeYAML) — CVE-2022-1471↗2024-01-15
Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Installer (SnakeYAML) — CVE-2022-1471↗2023-10-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: REST API (SnakeYAML) — CVE-2022-1471↗2023-07-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: Vision (SnakeYAML) — CVE-2022-1471↗2023-04-15