Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.yaml/snakeyaml@1.29

Type maven

Namespace org.yaml

Name snakeyaml

Version 1.29

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.0

Latest_non_vulnerable_version 2.0

Affected_by_vulnerabilities

url VCID-4nu3-fknt-puej

vulnerability_id VCID-4nu3-fknt-puej

summary

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38750.json

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38750.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-38750

reference_id

reference_type

scores

value	0.00155
scoring_system	epss
scoring_elements	0.36272
published_at	2026-04-16T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36228
published_at	2026-04-13T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36253
published_at	2026-04-12T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36289
published_at	2026-04-11T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36284
published_at	2026-04-09T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36266
published_at	2026-04-08T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36216
published_at	2026-04-07T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36382
published_at	2026-04-04T12:55:00Z

value	0.00155
scoring_system	epss
scoring_elements	0.36349
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-38750

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T18:43:03Z/

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

reference_url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T18:43:03Z/

url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38750
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38750

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T18:43:03Z/

url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-38750

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-38750

reference_url

https://security.gentoo.org/glsa/202305-28

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T18:43:03Z/

url

https://security.gentoo.org/glsa/202305-28

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2129707
reference_id	2129707
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2129707

reference_url

https://github.com/advisories/GHSA-hhhw-99gj-p3c3

reference_id

GHSA-hhhw-99gj-p3c3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hhhw-99gj-p3c3

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010/

reference_id

ntap-20240315-0010

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T18:43:03Z/

url

https://security.netapp.com/advisory/ntap-20240315-0010/

reference_url	https://access.redhat.com/errata/RHSA-2022:6757
reference_id	RHSA-2022:6757
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6757

reference_url	https://access.redhat.com/errata/RHSA-2022:8524
reference_id	RHSA-2022:8524
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8524

reference_url	https://access.redhat.com/errata/RHSA-2022:8876
reference_id	RHSA-2022:8876
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8876

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

reference_url	https://usn.ubuntu.com/5944-1/
reference_id	USN-5944-1
reference_type
scores
url	https://usn.ubuntu.com/5944-1/

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.31

purl pkg:maven/org.yaml/snakeyaml@1.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.31

aliases CVE-2022-38750, GHSA-hhhw-99gj-p3c3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4nu3-fknt-puej

url VCID-6354-p39b-zbhp

vulnerability_id VCID-6354-p39b-zbhp

summary

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38749.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38749.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-38749

reference_id

reference_type

scores

value	0.00533
scoring_system	epss
scoring_elements	0.67415
published_at	2026-04-16T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.6738
published_at	2026-04-13T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67414
published_at	2026-04-12T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67426
published_at	2026-04-11T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67392
published_at	2026-04-08T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67364
published_at	2026-04-04T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67341
published_at	2026-04-07T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67406
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-38749

reference_url

https://arxiv.org/pdf/2306.05534.pdf

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://arxiv.org/pdf/2306.05534.pdf

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

reference_url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38749
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38749

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-38749

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-38749

reference_url

https://security.gentoo.org/glsa/202305-28

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.gentoo.org/glsa/202305-28

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2129706
reference_id	2129706
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2129706

reference_url

https://github.com/advisories/GHSA-c4r9-r8fh-9vj2

reference_id

GHSA-c4r9-r8fh-9vj2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c4r9-r8fh-9vj2

reference_url	https://access.redhat.com/errata/RHSA-2022:6757
reference_id	RHSA-2022:6757
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6757

reference_url	https://access.redhat.com/errata/RHSA-2022:8524
reference_id	RHSA-2022:8524
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8524

reference_url	https://access.redhat.com/errata/RHSA-2022:8652
reference_id	RHSA-2022:8652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8652

reference_url	https://access.redhat.com/errata/RHSA-2022:8876
reference_id	RHSA-2022:8876
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8876

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://usn.ubuntu.com/5944-1/
reference_id	USN-5944-1
reference_type
scores
url	https://usn.ubuntu.com/5944-1/

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.31

purl pkg:maven/org.yaml/snakeyaml@1.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.31

aliases CVE-2022-38749, GHSA-c4r9-r8fh-9vj2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6354-p39b-zbhp

url VCID-dmkc-42vj-gbhc

vulnerability_id VCID-dmkc-42vj-gbhc

summary

SnakeYaml Constructor Deserialization Remote Code Execution
### Summary
SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows
any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the
target class. A `ConstructorException` is thrown, but only after a malicious
payload is deserialized.

### Severity
High, lack of type checks during deserialization allows remote code execution.

### Proof of Concept
Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.

Example output of successful run of proof of concept:

```
$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
 in 'string', line 1, column 1:
    payload: !!javax.script.ScriptEn ... 
    ^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
 in 'string', line 1, column 10:
    payload: !!javax.script.ScriptEngineManag ... 
             ^

	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
	at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
	at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
	at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
	at Main.main(Main.java:37)
Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
	at java.base/java.lang.reflect.Field.set(Field.java:780)
	at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
	... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
```

### Further Analysis
Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

### Timeline
**Date reported**: 4/11/2022
**Date fixed**:  [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)
**Date disclosed**: 10/13/2022

references

reference_url

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-1471

reference_id

reference_type

scores

value	0.93849
scoring_system	epss
scoring_elements	0.99866
published_at	2026-04-12T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99867
published_at	2026-04-13T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99868
published_at	2026-04-16T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99865
published_at	2026-04-02T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99864
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-1471

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

reference_url

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

reference_url

https://github.com/mbechler/marshalsec

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://github.com/mbechler/marshalsec

reference_url

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

reference_url

https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

reference_url

https://security.netapp.com/advisory/ntap-20230818-0015

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230818-0015

reference_url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_url

https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471

reference_url

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

reference_url

http://www.openwall.com/lists/oss-security/2023/11/19/1

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

http://www.openwall.com/lists/oss-security/2023/11/19/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2150009
reference_id	2150009
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2150009

reference_url

https://github.com/advisories/GHSA-mjmj-j48q-9wg2

reference_id

GHSA-mjmj-j48q-9wg2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mjmj-j48q-9wg2

reference_url

https://security.netapp.com/advisory/ntap-20230818-0015/

reference_id

ntap-20230818-0015

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://security.netapp.com/advisory/ntap-20230818-0015/

reference_url	https://access.redhat.com/errata/RHSA-2022:9032
reference_id	RHSA-2022:9032
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:9032

reference_url	https://access.redhat.com/errata/RHSA-2022:9058
reference_id	RHSA-2022:9058
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:9058

reference_url	https://access.redhat.com/errata/RHSA-2023:0697
reference_id	RHSA-2023:0697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0697

reference_url	https://access.redhat.com/errata/RHSA-2023:0758
reference_id	RHSA-2023:0758
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0758

reference_url	https://access.redhat.com/errata/RHSA-2023:0777
reference_id	RHSA-2023:0777
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0777

reference_url	https://access.redhat.com/errata/RHSA-2023:1006
reference_id	RHSA-2023:1006
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1006

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:3198
reference_id	RHSA-2023:3198
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3198

reference_url	https://access.redhat.com/errata/RHSA-2023:5165
reference_id	RHSA-2023:5165
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5165

reference_url	https://access.redhat.com/errata/RHSA-2023:6171
reference_id	RHSA-2023:6171
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6171

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://access.redhat.com/errata/RHSA-2024:0325
reference_id	RHSA-2024:0325
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0325

reference_url	https://access.redhat.com/errata/RHSA-2024:0775
reference_id	RHSA-2024:0775
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0775

reference_url	https://access.redhat.com/errata/RHSA-2025:1746
reference_id	RHSA-2025:1746
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1746

reference_url	https://access.redhat.com/errata/RHSA-2025:1747
reference_id	RHSA-2025:1747
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1747

fixed_packages

url	pkg:maven/org.yaml/snakeyaml@2.0
purl	pkg:maven/org.yaml/snakeyaml@2.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@2.0

aliases CVE-2022-1471, GHSA-mjmj-j48q-9wg2

risk_score 10.0

exploitability 2.0

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkc-42vj-gbhc

url VCID-fb8u-g65k-hffs

vulnerability_id VCID-fb8u-g65k-hffs

summary

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38752.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38752.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-38752

reference_id

reference_type

scores

value	0.00166
scoring_system	epss
scoring_elements	0.37702
published_at	2026-04-13T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37728
published_at	2026-04-12T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37763
published_at	2026-04-11T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.3775
published_at	2026-04-16T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37737
published_at	2026-04-08T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37687
published_at	2026-04-07T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37808
published_at	2026-04-04T12:55:00Z

value	0.00166
scoring_system	epss
scoring_elements	0.37782
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-38752

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081

reference_url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/

url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-38752

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-38752

reference_url

https://security.gentoo.org/glsa/202305-28

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/

url

https://security.gentoo.org/glsa/202305-28

reference_url

https://security.netapp.com/advisory/ntap-20240315-0009

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0009

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021014
reference_id	1021014
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021014

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2129710
reference_id	2129710
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2129710

reference_url

https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

reference_id

GHSA-9w3m-gqgf-c4p9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

reference_url

https://security.netapp.com/advisory/ntap-20240315-0009/

reference_id

ntap-20240315-0009

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/

url

https://security.netapp.com/advisory/ntap-20240315-0009/

reference_url	https://access.redhat.com/errata/RHSA-2022:6757
reference_id	RHSA-2022:6757
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6757

reference_url	https://access.redhat.com/errata/RHSA-2022:8524
reference_id	RHSA-2022:8524
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8524

reference_url	https://access.redhat.com/errata/RHSA-2023:0189
reference_id	RHSA-2023:0189
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0189

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:2705
reference_id	RHSA-2023:2705
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2705

reference_url	https://access.redhat.com/errata/RHSA-2023:2706
reference_id	RHSA-2023:2706
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2706

reference_url	https://access.redhat.com/errata/RHSA-2023:2707
reference_id	RHSA-2023:2707
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2707

reference_url	https://access.redhat.com/errata/RHSA-2023:2710
reference_id	RHSA-2023:2710
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2710

reference_url	https://access.redhat.com/errata/RHSA-2023:2713
reference_id	RHSA-2023:2713
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2713

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.32

purl pkg:maven/org.yaml/snakeyaml@1.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32

aliases CVE-2022-38752, GHSA-9w3m-gqgf-c4p9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fb8u-g65k-hffs

url VCID-mm3e-4pej-byed

vulnerability_id VCID-mm3e-4pej-byed

summary

Uncontrolled Resource Consumption in snakeyaml
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25857.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25857.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-25857

reference_id

reference_type

scores

value	0.00869
scoring_system	epss
scoring_elements	0.7521
published_at	2026-04-16T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75162
published_at	2026-04-04T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75207
published_at	2026-04-11T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75185
published_at	2026-04-12T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75173
published_at	2026-04-13T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75139
published_at	2026-04-07T12:55:00Z

value	0.00869
scoring_system	epss
scoring_elements	0.75132
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-25857

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/525

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/525

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/jruby/jruby/issues/7342

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

url

https://github.com/jruby/jruby/issues/7342

reference_url

https://github.com/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/snakeyaml/snakeyaml

reference_url

https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174

reference_url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-25857

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-25857

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_url

https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019218
reference_id	1019218
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019218

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2126789
reference_id	2126789
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2126789

reference_url

https://github.com/advisories/GHSA-3mc7-4q67-w48m

reference_id

GHSA-3mc7-4q67-w48m

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3mc7-4q67-w48m

reference_url	https://access.redhat.com/errata/RHSA-2022:6757
reference_id	RHSA-2022:6757
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6757

reference_url	https://access.redhat.com/errata/RHSA-2022:6820
reference_id	RHSA-2022:6820
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6820

reference_url	https://access.redhat.com/errata/RHSA-2022:6821
reference_id	RHSA-2022:6821
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6821

reference_url	https://access.redhat.com/errata/RHSA-2022:6822
reference_id	RHSA-2022:6822
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6822

reference_url	https://access.redhat.com/errata/RHSA-2022:6823
reference_id	RHSA-2022:6823
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6823

reference_url	https://access.redhat.com/errata/RHSA-2022:6825
reference_id	RHSA-2022:6825
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6825

reference_url	https://access.redhat.com/errata/RHSA-2022:6835
reference_id	RHSA-2022:6835
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6835

reference_url	https://access.redhat.com/errata/RHSA-2022:6941
reference_id	RHSA-2022:6941
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6941

reference_url	https://access.redhat.com/errata/RHSA-2022:8524
reference_id	RHSA-2022:8524
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8524

reference_url	https://access.redhat.com/errata/RHSA-2022:8652
reference_id	RHSA-2022:8652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8652

reference_url	https://access.redhat.com/errata/RHSA-2022:8876
reference_id	RHSA-2022:8876
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8876

reference_url	https://access.redhat.com/errata/RHSA-2023:0560
reference_id	RHSA-2023:0560
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0560

reference_url	https://access.redhat.com/errata/RHSA-2023:0777
reference_id	RHSA-2023:0777
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0777

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:3198
reference_id	RHSA-2023:3198
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3198

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

reference_url	https://access.redhat.com/errata/RHSA-2023:4983
reference_id	RHSA-2023:4983
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4983

reference_url	https://access.redhat.com/errata/RHSA-2023:6172
reference_id	RHSA-2023:6172
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6172

reference_url	https://access.redhat.com/errata/RHSA-2023:6179
reference_id	RHSA-2023:6179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6179

reference_url	https://access.redhat.com/errata/RHSA-2023:7288
reference_id	RHSA-2023:7288
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7288

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://access.redhat.com/errata/RHSA-2024:0776
reference_id	RHSA-2024:0776
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0776

reference_url	https://access.redhat.com/errata/RHSA-2024:0777
reference_id	RHSA-2024:0777
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0777

reference_url	https://access.redhat.com/errata/RHSA-2024:0778
reference_id	RHSA-2024:0778
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0778

reference_url	https://access.redhat.com/errata/RHSA-2025:4437
reference_id	RHSA-2025:4437
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:4437

reference_url	https://usn.ubuntu.com/5944-1/
reference_id	USN-5944-1
reference_type
scores
url	https://usn.ubuntu.com/5944-1/

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.31

purl pkg:maven/org.yaml/snakeyaml@1.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.31

aliases CVE-2022-25857, GHSA-3mc7-4q67-w48m

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mm3e-4pej-byed

url VCID-qxfs-sq38-jfad

vulnerability_id VCID-qxfs-sq38-jfad

summary

snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38751.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38751.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-38751

reference_id

reference_type

scores

value	0.0021
scoring_system	epss
scoring_elements	0.43507
published_at	2026-04-16T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43475
published_at	2026-04-09T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43447
published_at	2026-04-13T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43462
published_at	2026-04-12T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43493
published_at	2026-04-11T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43461
published_at	2026-04-08T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43445
published_at	2026-04-02T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.43472
published_at	2026-04-04T12:55:00Z

value	0.0021
scoring_system	epss
scoring_elements	0.4341
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-38751

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:32Z/

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/src/master/src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/src/master/src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java

reference_url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:32Z/

url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38751
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38751

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:32Z/

url

https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-38751

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-38751

reference_url

https://security.gentoo.org/glsa/202305-28

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:32Z/

url

https://security.gentoo.org/glsa/202305-28

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0010

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2129709
reference_id	2129709
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2129709

reference_url

https://github.com/advisories/GHSA-98wm-3w3q-mw94

reference_id

GHSA-98wm-3w3q-mw94

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-98wm-3w3q-mw94

reference_url

https://security.netapp.com/advisory/ntap-20240315-0010/

reference_id

ntap-20240315-0010

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-21T13:36:32Z/

url

https://security.netapp.com/advisory/ntap-20240315-0010/

reference_url	https://access.redhat.com/errata/RHSA-2022:6757
reference_id	RHSA-2022:6757
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6757

reference_url	https://access.redhat.com/errata/RHSA-2022:8524
reference_id	RHSA-2022:8524
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8524

reference_url	https://access.redhat.com/errata/RHSA-2022:8876
reference_id	RHSA-2022:8876
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:8876

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

reference_url	https://usn.ubuntu.com/5944-1/
reference_id	USN-5944-1
reference_type
scores
url	https://usn.ubuntu.com/5944-1/

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.31

purl pkg:maven/org.yaml/snakeyaml@1.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.31

aliases CVE-2022-38751, GHSA-98wm-3w3q-mw94

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qxfs-sq38-jfad

url VCID-sqsn-ygsg-yfdu

vulnerability_id VCID-sqsn-ygsg-yfdu

summary

Snakeyaml vulnerable to Stack overflow leading to denial of service
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41854.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41854.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-41854

reference_id

reference_type

scores

value	0.00077
scoring_system	epss
scoring_elements	0.23025
published_at	2026-04-16T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23012
published_at	2026-04-13T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23068
published_at	2026-04-12T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23105
published_at	2026-04-11T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23124
published_at	2026-04-02T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23168
published_at	2026-04-04T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.22959
published_at	2026-04-07T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23032
published_at	2026-04-08T12:55:00Z

value	0.00077
scoring_system	epss
scoring_elements	0.23085
published_at	2026-04-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-41854

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/531

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/531

reference_url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-41854

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-41854

reference_url

https://security.netapp.com/advisory/ntap-20240315-0009

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240315-0009

reference_url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2151988
reference_id	2151988
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2151988

reference_url

https://github.com/advisories/GHSA-w37g-rhq8-7m4j

reference_id

GHSA-w37g-rhq8-7m4j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w37g-rhq8-7m4j

reference_url	https://access.redhat.com/errata/RHSA-2023:0577
reference_id	RHSA-2023:0577
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0577

reference_url	https://access.redhat.com/errata/RHSA-2023:2100
reference_id	RHSA-2023:2100
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2100

reference_url	https://access.redhat.com/errata/RHSA-2023:2705
reference_id	RHSA-2023:2705
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2705

reference_url	https://access.redhat.com/errata/RHSA-2023:2706
reference_id	RHSA-2023:2706
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2706

reference_url	https://access.redhat.com/errata/RHSA-2023:2707
reference_id	RHSA-2023:2707
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2707

reference_url	https://access.redhat.com/errata/RHSA-2023:2710
reference_id	RHSA-2023:2710
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2710

reference_url	https://access.redhat.com/errata/RHSA-2023:2713
reference_id	RHSA-2023:2713
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2713

reference_url	https://access.redhat.com/errata/RHSA-2023:3373
reference_id	RHSA-2023:3373
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3373

reference_url	https://access.redhat.com/errata/RHSA-2023:3641
reference_id	RHSA-2023:3641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3641

reference_url	https://access.redhat.com/errata/RHSA-2023:4627
reference_id	RHSA-2023:4627
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4627

reference_url	https://access.redhat.com/errata/RHSA-2023:4983
reference_id	RHSA-2023:4983
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4983

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

fixed_packages

url pkg:maven/org.yaml/snakeyaml@1.32

purl pkg:maven/org.yaml/snakeyaml@1.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32

aliases CVE-2022-41854, GHSA-w37g-rhq8-7m4j

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sqsn-ygsg-yfdu

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.29

Package Instance