DEBIAN-CVE-2022-1471

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-1471

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-1471.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-1471

Upstream

CVE-2022-1471

Published

2022-12-01T11:15:10Z

Modified

2025-09-18T05:19:14Z

Summary

[none]

Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

References

https://security-tracker.debian.org/tracker/CVE-2022-1471

Affected packages

Debian:11 / snakeyaml

Package

Name: snakeyaml
Purl: pkg:deb/debian/snakeyaml?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / snakeyaml

Package

Name: snakeyaml
Purl: pkg:deb/debian/snakeyaml?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / snakeyaml

Package

Name: snakeyaml
Purl: pkg:deb/debian/snakeyaml?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:14 / snakeyaml

Package

Name: snakeyaml
Purl: pkg:deb/debian/snakeyaml?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}