Arbitrary Code Execution SNYK-JAVA-ORGYAML-3152153

## Overview
[org.yaml:snakeyaml](https://code.google.com/p/snakeyaml/source/browse/) is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the `Constructor` class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the `SafeConstructor` class. 

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation. Thus, no fix is expected.

**NOTE:** This advisory is subject to change as we investigate the practicality of exploitation.
## Remediation
There is no fixed version for `org.yaml:snakeyaml`.
## References
- [Bitbucket Issue](https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in)
- [BitBucket PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/39)
- [Vulnerable Class](https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Arbitrary Code Execution SNYK-JAVA-ORGYAML-3152153 #538

Overview

Remediation

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Arbitrary Code Execution SNYK-JAVA-ORGYAML-3152153 #538

Description

Overview

Remediation

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions