bw6-plugin-maven
bw6-plugin-maven copied to clipboard
TIBCOSoftware
CVE-2022-1471 (High) detected in snakeyaml-1.21.jar
CVE-2022-1471 - High Severity Vulnerability
Vulnerable Library - snakeyaml-1.21.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Source/bw6-maven-plugin/pom.xml
Path to vulnerable library: /tory/org/yaml/snakeyaml/1.21/snakeyaml-1.21.jar
Dependency Hierarchy:
- :x: snakeyaml-1.21.jar (Vulnerable Library)
Found in HEAD commit: 4d279939679b1227e061ae92cc6c0d7c9250eb08
Found in base branch: master
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
- [ ] Check this box to open an automated fix PR
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}