Attacker Value

Low

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2022-1471

Disclosure Date: December 01, 2022 •

CVE-2022-1471 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/multi/http/torchserver_cve_2023_43654

Description

SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml’s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Add Assessment

zeroSteiner (328)

October 06, 2023 5:51pm UTC (6 months ago)•

Ratings

Attacker Value

Low

Exploitability

High

Vulnerable in default configuration Difficult to weaponize

Technical Analysis

snakeyaml contains a vulnerability whereby an attacker that has control over YAML data that is deserialized by an affected version can execute arbitrary Java code. There are multiple, gadget chains that have been published for exploiting this vulnerability. In practice, this vulnerability is most valuable for exploitation purposes when chained with another vulnerability that allows for it to be triggered remotely such as CVE-2023-43654.

This vulnerability is moderately difficult to weaponize due to a couple of factors. First, in most scenarios, the attacker will need to understand the context in which snakeyaml is used within the host application. This will involve figuring out a means by which to get the target application to deserialize YAML data controlled by the attacker through some kind of API call, for example. Secondly, while multiple gadget chains are publicly available for, the exploit developer will still need to do some trial and error to find a chain that works within the target application. Once a chain has been identified, the target application will require access to communicate with an attacker-controlled server from which to load the Java class data. In the public chains, this server would either be HTTP(S) or LDAP.

Code execution will occur in the context of the host application where the snakeyaml library is used. This means the payload will execute with the same privileges as the host application, which will be different on a case-by-case basis.

This vulnerability was fixed in version 2.0. See the issue on bitbucket for more information.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

snakeyaml project

Products

snakeyaml

Metasploit Modules

exploit/multi/http/torchserver_cve_2023_43654 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/torchserver_cve_2023_43654.rb)

References

Canonical

CVE-2022-1471 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

SnakeYAML-CVE-2022-1471-POC (https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC)

snakeyaml_cve_poc (https://github.com/falconkei/snakeyaml_cve_poc)