CVE-2022-1471

Remote Code execution in SnakeYAML

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

La clase Constructor() de SnakeYaml no restringe los tipos de los que se pueden crear instancias durante la deserialización. La deserialización del contenido yaml proporcionado por un atacante puede conducir a la ejecución remota de código. Recomendamos utilizar SafeConsturctor de SnakeYaml al analizar contenido que no es de confianza para restringir la deserialización. Recomendamos actualizar a la versión 2.0 y posteriores.

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).

The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-04-26 CVE Reserved
2022-12-01 CVE Published
2023-03-02 First Exploit
2024-08-11 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-502: Deserialization of Untrusted Data

CAPEC

CAPEC-253: Remote Code Inclusion

References (12)

URL	Tag	Source
http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html
http://www.openwall.com/lists/oss-security/2023/11/19/1
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479	Issue Tracking
https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
https://security.netapp.com/advisory/ntap-20230818-0015
https://security.netapp.com/advisory/ntap-20240621-0006

URL	Date	SRC
https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC	2023-03-02
https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2	2024-09-17
https://github.com/mbechler/marshalsec	2024-09-17
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true	2024-09-17

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-1471	2024-03-18
https://bugzilla.redhat.com/show_bug.cgi?id=2150009	2024-03-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Snakeyaml Project Search vendor "Snakeyaml Project"		Snakeyaml Search vendor "Snakeyaml Project" for product "Snakeyaml"				< 2.0 Search vendor "Snakeyaml Project" for product "Snakeyaml" and version " < 2.0"		-		Affected