https://nvd.nist.gov/vuln/detail/CVE-2022-1471 has a NIST base score of "9.8 CRITICAL" and says:
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
SnakeYaml doesn't plan to release a SnakeYaml version that by default uses SafeConstructor.
So we need to manually check each SnakeYaml use.
These are vulnerable:
new Yaml()
new Yaml(new org.yaml.snakeyaml.constructor.Constructor() [, ...])
This is not vulnerable:
new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor() [, ...])
If a different Constructor is passed as first parameter you need to check it manually.
Searching for "new yaml" in folio-org:
https://github.com/search?q=org%3Afolio-org+%22new+yaml%22&type=code
Use of SnakeYaml in dependencies:
- vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
- vertx-web has been fixed since Vert.x 4.3.4
- Spring Framework has been fixed since spring-framework 5.3.4
- Spring Boot has been fixed since spring boot 2.1.15.RELEASE
- Testcontainers is vulnerable when ParsedDockerComposeFile is used with dynamic input.
If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.
If Snyk reports about "org.yaml:snakeyaml - Arbitrary Code Execution - CVE-2022-1471" investigate as explained above. Set report to "Ignore" if the FOLIO code is not vulnerable.