Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2022-1471

Disclosure Date: December 01, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml’s SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Technical Analysis

snakeyaml contains a vulnerability whereby an attacker that has control over YAML data that is deserialized by an affected version can execute arbitrary Java code. There are multiple, gadget chains that have been published for exploiting this vulnerability. In practice, this vulnerability is most valuable for exploitation purposes when chained with another vulnerability that allows for it to be triggered remotely such as CVE-2023-43654.

This vulnerability is moderately difficult to weaponize due to a couple of factors. First, in most scenarios, the attacker will need to understand the context in which snakeyaml is used within the host application. This will involve figuring out a means by which to get the target application to deserialize YAML data controlled by the attacker through some kind of API call, for example. Secondly, while multiple gadget chains are publicly available for, the exploit developer will still need to do some trial and error to find a chain that works within the target application. Once a chain has been identified, the target application will require access to communicate with an attacker-controlled server from which to load the Java class data. In the public chains, this server would either be HTTP(S) or LDAP.

Code execution will occur in the context of the host application where the snakeyaml library is used. This means the payload will execute with the same privileges as the host application, which will be different on a case-by-case basis.

This vulnerability was fixed in version 2.0. See the issue on bitbucket for more information.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • snakeyaml project

Products

  • snakeyaml
Technical Analysis