Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.yaml/snakeyaml@1.32
Typemaven
Namespaceorg.yaml
Namesnakeyaml
Version1.32
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.0
Latest_non_vulnerable_version2.0
Affected_by_vulnerabilities
0
url VCID-dmkc-42vj-gbhc
vulnerability_id VCID-dmkc-42vj-gbhc
summary 
SnakeYaml Constructor Deserialization Remote Code Execution
### Summary
SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows
any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the
target class. A `ConstructorException` is thrown, but only after a malicious
payload is deserialized.

### Severity
High, lack of type checks during deserialization allows remote code execution.

### Proof of Concept
Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.

Example output of successful run of proof of concept:

```
$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
 in 'string', line 1, column 1:
    payload: !!javax.script.ScriptEn ... 
    ^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
 in 'string', line 1, column 10:
    payload: !!javax.script.ScriptEngineManag ... 
             ^

	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
	at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
	at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
	at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
	at Main.main(Main.java:37)
Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
	at java.base/java.lang.reflect.Field.set(Field.java:780)
	at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
	... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
```

### Further Analysis
Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

### Timeline
**Date reported**: 4/11/2022
**Date fixed**:  [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)
**Date disclosed**: 10/13/2022
references
0
reference_url http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-1471
reference_id
reference_type
scores
0
value 0.93849
scoring_system epss
scoring_elements 0.99866
published_at 2026-04-12T12:55:00Z
1
value 0.93849
scoring_system epss
scoring_elements 0.99867
published_at 2026-04-21T12:55:00Z
2
value 0.93849
scoring_system epss
scoring_elements 0.99868
published_at 2026-04-16T12:55:00Z
3
value 0.93849
scoring_system epss
scoring_elements 0.99865
published_at 2026-04-02T12:55:00Z
4
value 0.93849
scoring_system epss
scoring_elements 0.99864
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-1471
3
reference_url https://bitbucket.org/snakeyaml/snakeyaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml
4
reference_url https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758
5
reference_url https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
6
reference_url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
7
reference_url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
8
reference_url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314
9
reference_url https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
10
reference_url https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
12
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
13
reference_url https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
14
reference_url https://github.com/mbechler/marshalsec
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://github.com/mbechler/marshalsec
15
reference_url https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
16
reference_url https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-1471
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-1471
18
reference_url https://security.netapp.com/advisory/ntap-20230818-0015
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230818-0015
19
reference_url https://security.netapp.com/advisory/ntap-20240621-0006
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240621-0006
20
reference_url https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471
21
reference_url https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
22
reference_url http://www.openwall.com/lists/oss-security/2023/11/19/1
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url http://www.openwall.com/lists/oss-security/2023/11/19/1
23
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2150009
reference_id 2150009
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2150009
24
reference_url https://github.com/advisories/GHSA-mjmj-j48q-9wg2
reference_id GHSA-mjmj-j48q-9wg2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mjmj-j48q-9wg2
25
reference_url https://security.netapp.com/advisory/ntap-20230818-0015/
reference_id ntap-20230818-0015
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/
url https://security.netapp.com/advisory/ntap-20230818-0015/
26
reference_url https://access.redhat.com/errata/RHSA-2022:9032
reference_id RHSA-2022:9032
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:9032
27
reference_url https://access.redhat.com/errata/RHSA-2022:9058
reference_id RHSA-2022:9058
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:9058
28
reference_url https://access.redhat.com/errata/RHSA-2023:0697
reference_id RHSA-2023:0697
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0697
29
reference_url https://access.redhat.com/errata/RHSA-2023:0758
reference_id RHSA-2023:0758
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0758
30
reference_url https://access.redhat.com/errata/RHSA-2023:0777
reference_id RHSA-2023:0777
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0777
31
reference_url https://access.redhat.com/errata/RHSA-2023:1006
reference_id RHSA-2023:1006
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1006
32
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
33
reference_url https://access.redhat.com/errata/RHSA-2023:3198
reference_id RHSA-2023:3198
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3198
34
reference_url https://access.redhat.com/errata/RHSA-2023:5165
reference_id RHSA-2023:5165
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:5165
35
reference_url https://access.redhat.com/errata/RHSA-2023:6171
reference_id RHSA-2023:6171
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6171
36
reference_url https://access.redhat.com/errata/RHSA-2023:7697
reference_id RHSA-2023:7697
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7697
37
reference_url https://access.redhat.com/errata/RHSA-2024:0325
reference_id RHSA-2024:0325
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0325
38
reference_url https://access.redhat.com/errata/RHSA-2024:0775
reference_id RHSA-2024:0775
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0775
39
reference_url https://access.redhat.com/errata/RHSA-2025:1746
reference_id RHSA-2025:1746
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1746
40
reference_url https://access.redhat.com/errata/RHSA-2025:1747
reference_id RHSA-2025:1747
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1747
fixed_packages
0
url pkg:maven/org.yaml/snakeyaml@2.0
purl pkg:maven/org.yaml/snakeyaml@2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@2.0
aliases CVE-2022-1471, GHSA-mjmj-j48q-9wg2
risk_score 10.0
exploitability 2.0
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkc-42vj-gbhc
Fixing_vulnerabilities
0
url VCID-fb8u-g65k-hffs
vulnerability_id VCID-fb8u-g65k-hffs
summary 
snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38752.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38752.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-38752
reference_id
reference_type
scores
0
value 0.00166
scoring_system epss
scoring_elements 0.37702
published_at 2026-04-13T12:55:00Z
1
value 0.00166
scoring_system epss
scoring_elements 0.37728
published_at 2026-04-12T12:55:00Z
2
value 0.00166
scoring_system epss
scoring_elements 0.37763
published_at 2026-04-11T12:55:00Z
3
value 0.00166
scoring_system epss
scoring_elements 0.3775
published_at 2026-04-16T12:55:00Z
4
value 0.00166
scoring_system epss
scoring_elements 0.37737
published_at 2026-04-08T12:55:00Z
5
value 0.00166
scoring_system epss
scoring_elements 0.37687
published_at 2026-04-07T12:55:00Z
6
value 0.00166
scoring_system epss
scoring_elements 0.37808
published_at 2026-04-04T12:55:00Z
7
value 0.00166
scoring_system epss
scoring_elements 0.37782
published_at 2026-04-02T12:55:00Z
8
value 0.00205
scoring_system epss
scoring_elements 0.42655
published_at 2026-04-21T12:55:00Z
9
value 0.00205
scoring_system epss
scoring_elements 0.42718
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-38752
2
reference_url https://bitbucket.org/snakeyaml/snakeyaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml
3
reference_url https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/
url https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
4
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38752
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-38752
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-38752
8
reference_url https://security.gentoo.org/glsa/202305-28
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/
url https://security.gentoo.org/glsa/202305-28
9
reference_url https://security.netapp.com/advisory/ntap-20240315-0009
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240315-0009
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021014
reference_id 1021014
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021014
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2129710
reference_id 2129710
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2129710
12
reference_url https://github.com/advisories/GHSA-9w3m-gqgf-c4p9
reference_id GHSA-9w3m-gqgf-c4p9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9w3m-gqgf-c4p9
13
reference_url https://security.netapp.com/advisory/ntap-20240315-0009/
reference_id ntap-20240315-0009
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-22T14:02:33Z/
url https://security.netapp.com/advisory/ntap-20240315-0009/
14
reference_url https://access.redhat.com/errata/RHSA-2022:6757
reference_id RHSA-2022:6757
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6757
15
reference_url https://access.redhat.com/errata/RHSA-2022:8524
reference_id RHSA-2022:8524
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:8524
16
reference_url https://access.redhat.com/errata/RHSA-2023:0189
reference_id RHSA-2023:0189
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0189
17
reference_url https://access.redhat.com/errata/RHSA-2023:2097
reference_id RHSA-2023:2097
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2097
18
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
19
reference_url https://access.redhat.com/errata/RHSA-2023:2705
reference_id RHSA-2023:2705
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2705
20
reference_url https://access.redhat.com/errata/RHSA-2023:2706
reference_id RHSA-2023:2706
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2706
21
reference_url https://access.redhat.com/errata/RHSA-2023:2707
reference_id RHSA-2023:2707
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2707
22
reference_url https://access.redhat.com/errata/RHSA-2023:2710
reference_id RHSA-2023:2710
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2710
23
reference_url https://access.redhat.com/errata/RHSA-2023:2713
reference_id RHSA-2023:2713
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2713
24
reference_url https://access.redhat.com/errata/RHSA-2023:3641
reference_id RHSA-2023:3641
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3641
fixed_packages
0
url pkg:maven/org.yaml/snakeyaml@1.32
purl pkg:maven/org.yaml/snakeyaml@1.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dmkc-42vj-gbhc
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32
aliases CVE-2022-38752, GHSA-9w3m-gqgf-c4p9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fb8u-g65k-hffs
1
url VCID-sqsn-ygsg-yfdu
vulnerability_id VCID-sqsn-ygsg-yfdu
summary 
Snakeyaml vulnerable to Stack overflow leading to denial of service
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41854.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-41854.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-41854
reference_id
reference_type
scores
0
value 0.00077
scoring_system epss
scoring_elements 0.23168
published_at 2026-04-04T12:55:00Z
1
value 0.00077
scoring_system epss
scoring_elements 0.23025
published_at 2026-04-16T12:55:00Z
2
value 0.00077
scoring_system epss
scoring_elements 0.23012
published_at 2026-04-13T12:55:00Z
3
value 0.00077
scoring_system epss
scoring_elements 0.23068
published_at 2026-04-12T12:55:00Z
4
value 0.00077
scoring_system epss
scoring_elements 0.23105
published_at 2026-04-11T12:55:00Z
5
value 0.00077
scoring_system epss
scoring_elements 0.23085
published_at 2026-04-09T12:55:00Z
6
value 0.00077
scoring_system epss
scoring_elements 0.23032
published_at 2026-04-08T12:55:00Z
7
value 0.00077
scoring_system epss
scoring_elements 0.22959
published_at 2026-04-07T12:55:00Z
8
value 0.00077
scoring_system epss
scoring_elements 0.23124
published_at 2026-04-02T12:55:00Z
9
value 0.00103
scoring_system epss
scoring_elements 0.28162
published_at 2026-04-18T12:55:00Z
10
value 0.00116
scoring_system epss
scoring_elements 0.30262
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-41854
2
reference_url https://bitbucket.org/snakeyaml/snakeyaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml
3
reference_url https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a
4
reference_url https://bitbucket.org/snakeyaml/snakeyaml/issues/531
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bitbucket.org/snakeyaml/snakeyaml/issues/531
5
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-41854
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-41854
15
reference_url https://security.netapp.com/advisory/ntap-20240315-0009
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240315-0009
16
reference_url https://security.netapp.com/advisory/ntap-20240621-0006
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240621-0006
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2151988
reference_id 2151988
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2151988
18
reference_url https://github.com/advisories/GHSA-w37g-rhq8-7m4j
reference_id GHSA-w37g-rhq8-7m4j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w37g-rhq8-7m4j
19
reference_url https://access.redhat.com/errata/RHSA-2023:0577
reference_id RHSA-2023:0577
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0577
20
reference_url https://access.redhat.com/errata/RHSA-2023:2100
reference_id RHSA-2023:2100
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2100
21
reference_url https://access.redhat.com/errata/RHSA-2023:2705
reference_id RHSA-2023:2705
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2705
22
reference_url https://access.redhat.com/errata/RHSA-2023:2706
reference_id RHSA-2023:2706
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2706
23
reference_url https://access.redhat.com/errata/RHSA-2023:2707
reference_id RHSA-2023:2707
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2707
24
reference_url https://access.redhat.com/errata/RHSA-2023:2710
reference_id RHSA-2023:2710
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2710
25
reference_url https://access.redhat.com/errata/RHSA-2023:2713
reference_id RHSA-2023:2713
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2713
26
reference_url https://access.redhat.com/errata/RHSA-2023:3373
reference_id RHSA-2023:3373
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3373
27
reference_url https://access.redhat.com/errata/RHSA-2023:3641
reference_id RHSA-2023:3641
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3641
28
reference_url https://access.redhat.com/errata/RHSA-2023:4627
reference_id RHSA-2023:4627
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4627
29
reference_url https://access.redhat.com/errata/RHSA-2023:4983
reference_id RHSA-2023:4983
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:4983
30
reference_url https://access.redhat.com/errata/RHSA-2023:7697
reference_id RHSA-2023:7697
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7697
fixed_packages
0
url pkg:maven/org.yaml/snakeyaml@1.32
purl pkg:maven/org.yaml/snakeyaml@1.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dmkc-42vj-gbhc
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32
aliases CVE-2022-41854, GHSA-w37g-rhq8-7m4j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sqsn-ygsg-yfdu
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32