Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-dmkc-42vj-gbhc

Summary

SnakeYaml Constructor Deserialization Remote Code Execution
### Summary
SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows
any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the
target class. A `ConstructorException` is thrown, but only after a malicious
payload is deserialized.

### Severity
High, lack of type checks during deserialization allows remote code execution.

### Proof of Concept
Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload
for RCE. RCE is demonstrated by using a payload which performs a http request to
http://127.0.0.1:8000.

Example output of successful run of proof of concept:

```
$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
 in 'string', line 1, column 1:
    payload: !!javax.script.ScriptEn ... 
    ^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
 in 'string', line 1, column 10:
    payload: !!javax.script.ScriptEngineManag ... 
             ^

	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
	at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
	at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
	at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
	at Main.main(Main.java:37)
Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
	at java.base/java.lang.reflect.Field.set(Field.java:780)
	at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
	... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
```

### Further Analysis
Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

### Timeline
**Date reported**: 4/11/2022
**Date fixed**:  [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)
**Date disclosed**: 10/13/2022

Aliases

alias	CVE-2022-1471

alias	GHSA-mjmj-j48q-9wg2

Fixed_packages

url	pkg:maven/org.yaml/snakeyaml@2.0
purl	pkg:maven/org.yaml/snakeyaml@2.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@2.0

Affected_packages

url pkg:maven/org.yaml/snakeyaml@1.4

purl pkg:maven/org.yaml/snakeyaml@1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.4

url pkg:maven/org.yaml/snakeyaml@1.5

purl pkg:maven/org.yaml/snakeyaml@1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.5

url pkg:maven/org.yaml/snakeyaml@1.6

purl pkg:maven/org.yaml/snakeyaml@1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.6

url pkg:maven/org.yaml/snakeyaml@1.7

purl pkg:maven/org.yaml/snakeyaml@1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.7

url pkg:maven/org.yaml/snakeyaml@1.8

purl pkg:maven/org.yaml/snakeyaml@1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.8

url pkg:maven/org.yaml/snakeyaml@1.9

purl pkg:maven/org.yaml/snakeyaml@1.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.9

url pkg:maven/org.yaml/snakeyaml@1.10

purl pkg:maven/org.yaml/snakeyaml@1.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.10

url pkg:maven/org.yaml/snakeyaml@1.11

purl pkg:maven/org.yaml/snakeyaml@1.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.11

url pkg:maven/org.yaml/snakeyaml@1.12

purl pkg:maven/org.yaml/snakeyaml@1.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.12

url pkg:maven/org.yaml/snakeyaml@1.13

purl pkg:maven/org.yaml/snakeyaml@1.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.13

url pkg:maven/org.yaml/snakeyaml@1.14

purl pkg:maven/org.yaml/snakeyaml@1.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.14

url pkg:maven/org.yaml/snakeyaml@1.15

purl pkg:maven/org.yaml/snakeyaml@1.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.15

url pkg:maven/org.yaml/snakeyaml@1.16

purl pkg:maven/org.yaml/snakeyaml@1.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.16

url pkg:maven/org.yaml/snakeyaml@1.17

purl pkg:maven/org.yaml/snakeyaml@1.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.17

url pkg:maven/org.yaml/snakeyaml@1.18

purl pkg:maven/org.yaml/snakeyaml@1.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.18

url pkg:maven/org.yaml/snakeyaml@1.19

purl pkg:maven/org.yaml/snakeyaml@1.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.19

url pkg:maven/org.yaml/snakeyaml@1.20

purl pkg:maven/org.yaml/snakeyaml@1.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.20

url pkg:maven/org.yaml/snakeyaml@1.21

purl pkg:maven/org.yaml/snakeyaml@1.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.21

url pkg:maven/org.yaml/snakeyaml@1.22

purl pkg:maven/org.yaml/snakeyaml@1.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.22

url pkg:maven/org.yaml/snakeyaml@1.23

purl pkg:maven/org.yaml/snakeyaml@1.23

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.23

url pkg:maven/org.yaml/snakeyaml@1.24

purl pkg:maven/org.yaml/snakeyaml@1.24

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.24

url pkg:maven/org.yaml/snakeyaml@1.25

purl pkg:maven/org.yaml/snakeyaml@1.25

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-e8hu-czv4-yyc5

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.25

url pkg:maven/org.yaml/snakeyaml@1.26

purl pkg:maven/org.yaml/snakeyaml@1.26

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.26

url pkg:maven/org.yaml/snakeyaml@1.27

purl pkg:maven/org.yaml/snakeyaml@1.27

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.27

url pkg:maven/org.yaml/snakeyaml@1.28

purl pkg:maven/org.yaml/snakeyaml@1.28

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.28

url pkg:maven/org.yaml/snakeyaml@1.29

purl pkg:maven/org.yaml/snakeyaml@1.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.29

url pkg:maven/org.yaml/snakeyaml@1.30

purl pkg:maven/org.yaml/snakeyaml@1.30

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.30

url pkg:maven/org.yaml/snakeyaml@1.31

purl pkg:maven/org.yaml/snakeyaml@1.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.31

url pkg:maven/org.yaml/snakeyaml@1.32

purl pkg:maven/org.yaml/snakeyaml@1.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.32

url pkg:maven/org.yaml/snakeyaml@1.33

purl pkg:maven/org.yaml/snakeyaml@1.33

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.yaml/snakeyaml@1.33

url pkg:rpm/redhat/candlepin@4.2.13-1?arch=el8sat

purl pkg:rpm/redhat/candlepin@4.2.13-1?arch=el8sat

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2cup-9gdn-yyhk

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-mbst-3bec-ykcq

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-qub7-qp14-uqcg

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-v2pq-1qhm-4qb9

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/candlepin@4.2.13-1%3Farch=el8sat

url pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1?arch=el7eap

purl pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1?arch=el7eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8977-tjss-w7ba

vulnerability	VCID-9bk7-2rsc-nbd6

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-jstt-6zs3-ybew

vulnerability	VCID-jwav-88m7-6fhz

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-qruf-r6dc-3ugj

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xzs8-rbhd-mkbp

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1%3Farch=el7eap

url pkg:rpm/redhat/eap7-resteasy@3.0.27-1.Final_redhat_00001.1.ep7?arch=el7

purl pkg:rpm/redhat/eap7-resteasy@3.0.27-1.Final_redhat_00001.1.ep7?arch=el7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5qfd-jjh1-d3fx

vulnerability	VCID-8977-tjss-w7ba

vulnerability	VCID-9bk7-2rsc-nbd6

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-bydt-bkf4-rbh2

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-jvp6-892x-nkc7

vulnerability	VCID-jwav-88m7-6fhz

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-q6t7-9mjk-7fdd

vulnerability	VCID-qruf-r6dc-3ugj

vulnerability	VCID-ruae-hqdg-m7ek

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-wdgx-34uc-2qa4

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xnyb-nuwm-pkdr

vulnerability	VCID-xzs8-rbhd-mkbp

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-resteasy@3.0.27-1.Final_redhat_00001.1.ep7%3Farch=el7

url pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1?arch=el7eap

purl pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1?arch=el7eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8977-tjss-w7ba

vulnerability	VCID-9bk7-2rsc-nbd6

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-jstt-6zs3-ybew

vulnerability	VCID-jwav-88m7-6fhz

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-qruf-r6dc-3ugj

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xzs8-rbhd-mkbp

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1%3Farch=el7eap

url pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1?arch=el7eap

purl pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1?arch=el7eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8977-tjss-w7ba

vulnerability	VCID-9bk7-2rsc-nbd6

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-jstt-6zs3-ybew

vulnerability	VCID-jwav-88m7-6fhz

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-qruf-r6dc-3ugj

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-xzs8-rbhd-mkbp

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1%3Farch=el7eap

url pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.ep7?arch=el7

purl pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.ep7?arch=el7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8977-tjss-w7ba

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-jwav-88m7-6fhz

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-qruf-r6dc-3ugj

vulnerability	VCID-wp9q-eurd-43dx

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.ep7%3Farch=el7

url pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el7eap

purl pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el7eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4s4f-emvn-9bhh

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-knw5-d2nn-vyhq

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1%3Farch=el7eap

url pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el8eap

purl pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el8eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4s4f-emvn-9bhh

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-knw5-d2nn-vyhq

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1%3Farch=el8eap

url pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el9eap

purl pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1?arch=el9eap

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4s4f-emvn-9bhh

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fb8u-g65k-hffs

vulnerability	VCID-knw5-d2nn-vyhq

vulnerability	VCID-sqsn-ygsg-yfdu

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-snakeyaml@1.33.0-2.SP1_redhat_00001.1%3Farch=el9eap

url pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1?arch=el8

purl pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1?arch=el8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13zs-2sn8-3yey

vulnerability	VCID-1tha-u7dt-tfc9

vulnerability	VCID-2zhb-qfhq-xkdp

vulnerability	VCID-4qvq-xv22-xbed

vulnerability	VCID-5jjh-qcnz-mye7

vulnerability	VCID-73th-g3mx-dqf1

vulnerability	VCID-892e-957y-4yc8

vulnerability	VCID-9h4k-xjx5-afc8

vulnerability	VCID-atqg-nfz6-zyfs

vulnerability	VCID-ca7m-fb38-kfe2

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-fzvq-dpvh-v7eu

vulnerability	VCID-gxu6-51zm-sfh7

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-n5vc-ggjg-kfc1

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-pnge-tumu-v7e2

vulnerability	VCID-pwtj-az3g-zka3

vulnerability	VCID-rs56-6qvx-vucg

vulnerability	VCID-rxtr-936k-h3cc

vulnerability	VCID-s839-rpta-6bej

vulnerability	VCID-tx8n-nmhx-gqg1

vulnerability	VCID-ubq1-gzr6-x3fu

vulnerability	VCID-xq5k-dyk9-u3ct

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1%3Farch=el8

url pkg:rpm/redhat/jenkins-2-plugins@4.10.1675407676-1?arch=el8

purl pkg:rpm/redhat/jenkins-2-plugins@4.10.1675407676-1?arch=el8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.10.1675407676-1%3Farch=el8

url pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1?arch=el8

purl pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1?arch=el8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1tha-u7dt-tfc9

vulnerability	VCID-2zhb-qfhq-xkdp

vulnerability	VCID-4qvq-xv22-xbed

vulnerability	VCID-5bu5-5b6n-nuft

vulnerability	VCID-73th-g3mx-dqf1

vulnerability	VCID-atqg-nfz6-zyfs

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j584-bgww-z7fw

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-m3g5-ua28-afd2

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-n5vc-ggjg-kfc1

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-pnge-tumu-v7e2

vulnerability	VCID-quvj-3tpk-qug1

vulnerability	VCID-rxtr-936k-h3cc

vulnerability	VCID-s839-rpta-6bej

vulnerability	VCID-tx8n-nmhx-gqg1

vulnerability	VCID-xq5k-dyk9-u3ct

vulnerability	VCID-zxcj-h6nx-m7gq

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1%3Farch=el8

url pkg:rpm/redhat/jenkins-2-plugins@4.11.1698299029-1?arch=el8

purl pkg:rpm/redhat/jenkins-2-plugins@4.11.1698299029-1?arch=el8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bu5-5b6n-nuft

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-h7qt-3g1f-5ffr

vulnerability	VCID-j584-bgww-z7fw

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-quvj-3tpk-qug1

vulnerability	VCID-zxcj-h6nx-m7gq

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.11.1698299029-1%3Farch=el8

url pkg:rpm/redhat/jenkins-2-plugins@4.11.1706516946-1?arch=el8

purl pkg:rpm/redhat/jenkins-2-plugins@4.11.1706516946-1?arch=el8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5bu5-5b6n-nuft

vulnerability	VCID-955x-hg4a-5kc3

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-j584-bgww-z7fw

vulnerability	VCID-j986-mtma-b3bw

vulnerability	VCID-quvj-3tpk-qug1

vulnerability	VCID-zxcj-h6nx-m7gq

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.11.1706516946-1%3Farch=el8

url pkg:rpm/redhat/prometheus-jmx-exporter@0.12.0-9?arch=el8_7

purl pkg:rpm/redhat/prometheus-jmx-exporter@0.12.0-9?arch=el8_7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dmkc-42vj-gbhc

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/prometheus-jmx-exporter@0.12.0-9%3Farch=el8_7

url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el7sso

purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el7sso

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xyb-g3n4-n3ca

vulnerability	VCID-3s9f-prpy-hbcx

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-4v1f-kt5y-w7d1

vulnerability	VCID-5618-53yg-8qh4

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-7j7q-m1zp-zfac

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-cvxp-ctj9-guej

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-ebn8-cjqs-k3ad

vulnerability	VCID-gp47-t3vm-57an

vulnerability	VCID-hbwg-ebvx-k7e1

vulnerability	VCID-kexn-gjxj-uudm

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-myp4-24sf-9yfv

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-ptd4-8f7f-hyg6

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqx4-euc2-myew

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-vfsr-kypp-wbea

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xy58-u3se-wfdb

vulnerability	VCID-xzs8-rbhd-mkbp

vulnerability	VCID-y1np-kma2-ayfn

vulnerability	VCID-y3ey-aab7-q3fk

vulnerability	VCID-y8up-mkx2-abcn

vulnerability	VCID-y9aa-2a31-ufa7

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el7sso

url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el9sso

purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el9sso

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xyb-g3n4-n3ca

vulnerability	VCID-3s9f-prpy-hbcx

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-4v1f-kt5y-w7d1

vulnerability	VCID-5618-53yg-8qh4

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-7j7q-m1zp-zfac

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-cvxp-ctj9-guej

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-ebn8-cjqs-k3ad

vulnerability	VCID-gp47-t3vm-57an

vulnerability	VCID-hbwg-ebvx-k7e1

vulnerability	VCID-kexn-gjxj-uudm

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-myp4-24sf-9yfv

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-ptd4-8f7f-hyg6

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqx4-euc2-myew

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-vfsr-kypp-wbea

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xy58-u3se-wfdb

vulnerability	VCID-xzs8-rbhd-mkbp

vulnerability	VCID-y1np-kma2-ayfn

vulnerability	VCID-y3ey-aab7-q3fk

vulnerability	VCID-y8up-mkx2-abcn

vulnerability	VCID-y9aa-2a31-ufa7

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el9sso

url pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el8sso

purl pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1?arch=el8sso

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xyb-g3n4-n3ca

vulnerability	VCID-3s9f-prpy-hbcx

vulnerability	VCID-4nu3-fknt-puej

vulnerability	VCID-4v1f-kt5y-w7d1

vulnerability	VCID-5618-53yg-8qh4

vulnerability	VCID-6354-p39b-zbhp

vulnerability	VCID-7j7q-m1zp-zfac

vulnerability	VCID-9h46-72hw-bkcr

vulnerability	VCID-cvxp-ctj9-guej

vulnerability	VCID-dmkc-42vj-gbhc

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-ebn8-cjqs-k3ad

vulnerability	VCID-gp47-t3vm-57an

vulnerability	VCID-hbwg-ebvx-k7e1

vulnerability	VCID-kexn-gjxj-uudm

vulnerability	VCID-mm3e-4pej-byed

vulnerability	VCID-myp4-24sf-9yfv

vulnerability	VCID-netd-rr9e-wbg5

vulnerability	VCID-ptd4-8f7f-hyg6

vulnerability	VCID-qxfs-sq38-jfad

vulnerability	VCID-sqx4-euc2-myew

vulnerability	VCID-turp-dju7-c7fx

vulnerability	VCID-v2pq-1qhm-4qb9

vulnerability	VCID-vfsr-kypp-wbea

vulnerability	VCID-wp9q-eurd-43dx

vulnerability	VCID-xy58-u3se-wfdb

vulnerability	VCID-xzs8-rbhd-mkbp

vulnerability	VCID-y1np-kma2-ayfn

vulnerability	VCID-y3ey-aab7-q3fk

vulnerability	VCID-y8up-mkx2-abcn

vulnerability	VCID-y9aa-2a31-ufa7

resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1%3Farch=el8sso

References

reference_url

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1471.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-1471

reference_id

reference_type

scores

value	0.93849
scoring_system	epss
scoring_elements	0.99865
published_at	2026-04-02T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99867
published_at	2026-04-13T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99866
published_at	2026-04-12T12:55:00Z

value	0.93849
scoring_system	epss
scoring_elements	0.99864
published_at	2026-04-01T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-1471

reference_url

https://bitbucket.org/snakeyaml/snakeyaml

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314

reference_url

https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471

reference_url

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

reference_url

https://github.com/mbechler/marshalsec

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://github.com/mbechler/marshalsec

reference_url

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

reference_url

https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

reference_url

https://security.netapp.com/advisory/ntap-20230818-0015

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230818-0015

reference_url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_url

https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471

reference_url

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

reference_url

http://www.openwall.com/lists/oss-security/2023/11/19/1

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

http://www.openwall.com/lists/oss-security/2023/11/19/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2150009
reference_id	2150009
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2150009

reference_url

https://github.com/advisories/GHSA-mjmj-j48q-9wg2

reference_id

GHSA-mjmj-j48q-9wg2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mjmj-j48q-9wg2

reference_url

https://security.netapp.com/advisory/ntap-20230818-0015/

reference_id

ntap-20230818-0015

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-07T18:13:22Z/

url

https://security.netapp.com/advisory/ntap-20230818-0015/

reference_url	https://access.redhat.com/errata/RHSA-2022:9032
reference_id	RHSA-2022:9032
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:9032

reference_url	https://access.redhat.com/errata/RHSA-2022:9058
reference_id	RHSA-2022:9058
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:9058

reference_url	https://access.redhat.com/errata/RHSA-2023:0697
reference_id	RHSA-2023:0697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0697

reference_url	https://access.redhat.com/errata/RHSA-2023:0758
reference_id	RHSA-2023:0758
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0758

reference_url	https://access.redhat.com/errata/RHSA-2023:0777
reference_id	RHSA-2023:0777
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0777

reference_url	https://access.redhat.com/errata/RHSA-2023:1006
reference_id	RHSA-2023:1006
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1006

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

reference_url	https://access.redhat.com/errata/RHSA-2023:3198
reference_id	RHSA-2023:3198
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3198

reference_url	https://access.redhat.com/errata/RHSA-2023:5165
reference_id	RHSA-2023:5165
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5165

reference_url	https://access.redhat.com/errata/RHSA-2023:6171
reference_id	RHSA-2023:6171
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6171

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://access.redhat.com/errata/RHSA-2024:0325
reference_id	RHSA-2024:0325
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0325

reference_url	https://access.redhat.com/errata/RHSA-2024:0775
reference_id	RHSA-2024:0775
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0775

reference_url	https://access.redhat.com/errata/RHSA-2025:1746
reference_id	RHSA-2025:1746
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1746

reference_url	https://access.redhat.com/errata/RHSA-2025:1747
reference_id	RHSA-2025:1747
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1747

Weaknesses

cwe_id	20
name	Improper Input Validation
description	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

cwe_id	502
name	Deserialization of Untrusted Data
description	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

date_added	`null`
description	The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.
required_action	`null`
due_date	`null`
notes	Stability: - crash-safe SideEffects: - ioc-in-logs Reliability: - repeatable-session
known_ransomware_campaign_use	`false`
source_date_published	2023-10-03
exploit_type	`null`
platform	Java
source_date_updated	`null`
data_source	Metasploit
source_url	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/torchserver_cve_2023_43654.rb

Severity_range_score 7.0 - 9.8

Exploitability 2.0

Weighted_severity 8.8

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dmkc-42vj-gbhc

Vulnerability Instance