VulnerableCode Package Details - pkg:maven/org.yaml/snakeyaml@1.32

Search for packages

Vulnerability	Summary	Fixed by
VCID-dmkc-42vj-gbhc Aliases: CVE-2022-1471 GHSA-mjmj-j48q-9wg2	SnakeYaml Constructor Deserialization Remote Code Execution ### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, ; q=.2, /; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. ### Timeline Date reported: 4/11/2022 Date fixed: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44) Date disclosed*: 10/13/2022	2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dmkc-42vj-gbhc
Aliases:
CVE-2022-1471
GHSA-mjmj-j48q-9wg2

SnakeYaml Constructor Deserialization Remote Code Execution ### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44) **Date disclosed**: 10/13/2022

2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-fb8u-g65k-hffs	snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.	CVE-2022-38752 GHSA-9w3m-gqgf-c4p9
VCID-sqsn-ygsg-yfdu	Snakeyaml vulnerable to Stack overflow leading to denial of service Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.	CVE-2022-41854 GHSA-w37g-rhq8-7m4j

Vulnerability

Summary

Aliases

VCID-fb8u-g65k-hffs

snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

CVE-2022-38752
GHSA-9w3m-gqgf-c4p9

VCID-sqsn-ygsg-yfdu

Snakeyaml vulnerable to Stack overflow leading to denial of service Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

CVE-2022-41854
GHSA-w37g-rhq8-7m4j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:17:54.435475+00:00	GitLab Importer	Affected by	VCID-dmkc-42vj-gbhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-1471.yml	38.4.0
2026-04-16T22:15:15.235481+00:00	GitLab Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-41854.yml	38.4.0
2026-04-16T22:08:21.061074+00:00	GitLab Importer	Fixing	VCID-fb8u-g65k-hffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-38752.yml	38.4.0
2026-04-11T23:35:24.719610+00:00	GitLab Importer	Affected by	VCID-dmkc-42vj-gbhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-1471.yml	38.3.0
2026-04-11T23:32:22.273830+00:00	GitLab Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-41854.yml	38.3.0
2026-04-11T23:24:45.481795+00:00	GitLab Importer	Fixing	VCID-fb8u-g65k-hffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-38752.yml	38.3.0
2026-04-02T23:40:03.260139+00:00	GitLab Importer	Affected by	VCID-dmkc-42vj-gbhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-1471.yml	38.1.0
2026-04-02T23:37:32.076921+00:00	GitLab Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-41854.yml	38.1.0
2026-04-02T23:31:08.056302+00:00	GitLab Importer	Fixing	VCID-fb8u-g65k-hffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-38752.yml	38.1.0
2026-04-01T18:02:32.876044+00:00	GitLab Importer	Affected by	VCID-dmkc-42vj-gbhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-1471.yml	38.0.0
2026-04-01T17:59:44.980540+00:00	GitLab Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-41854.yml	38.0.0
2026-04-01T17:52:41.974497+00:00	GitLab Importer	Fixing	VCID-fb8u-g65k-hffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.yaml/snakeyaml/CVE-2022-38752.yml	38.0.0
2026-04-01T16:03:59.454746+00:00	GHSA Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://github.com/advisories/GHSA-w37g-rhq8-7m4j	38.0.0
2026-04-01T16:03:06.619705+00:00	GHSA Importer	Fixing	VCID-fb8u-g65k-hffs	https://github.com/advisories/GHSA-9w3m-gqgf-c4p9	38.0.0
2026-04-01T13:07:12.662051+00:00	GithubOSV Importer	Fixing	VCID-sqsn-ygsg-yfdu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-w37g-rhq8-7m4j/GHSA-w37g-rhq8-7m4j.json	38.0.0
2026-04-01T13:05:34.289001+00:00	GithubOSV Importer	Fixing	VCID-fb8u-g65k-hffs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-9w3m-gqgf-c4p9/GHSA-9w3m-gqgf-c4p9.json	38.0.0