Skip to end of banner
Go to start of banner

SnakeYaml SafeConstructor

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

https://nvd.nist.gov/vuln/detail/CVE-2022-1471 has a NIST base score of "9.8 CRITICAL" and says:

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

SnakeYaml doesn't plan to release a SnakeYaml version that by default uses SafeConstructor.

So we need to manually check each SnakeYaml use.

These are vulnerable:

new Yaml()

new Yaml(new org.yaml.snakeyaml.constructor.Constructor() [, ...])

This is not vulnerable:

new Yaml(new org.yaml.snakeyaml.constructor.SafeConstructor() [, ...])

If a different Constructor is passed as first parameter you need to check it manually.

Searching for "new yaml" in folio-org:

https://github.com/search?q=org%3Afolio-org+%22new+yaml%22&type=code

Use of SnakeYaml in dependencies:

If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.

If Snyk reports about "org.yaml:snakeyaml - Arbitrary Code Execution - CVE-2022-1471" investigate as explained above. Set report to "Ignore" if the FOLIO code is not vulnerable.


  • No labels