vulnerability
Red Hat JBoss EAP: CVE-2022-1471: Improper Input Validation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Oct 13, 2022 | Sep 19, 2024 | Jul 9, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Oct 13, 2022
Added
Sep 19, 2024
Modified
Jul 9, 2025
Description
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.. A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-20
- CWE-502
- CVE-2022-1471
- https://attackerkb.com/topics/CVE-2022-1471
- URL-https://access.redhat.com/security/cve/CVE-2022-1471
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2150009
- URL-https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
- URL-https://access.redhat.com/errata/RHSA-2023:1512
- URL-https://access.redhat.com/errata/RHSA-2023:1513
- URL-https://access.redhat.com/errata/RHSA-2023:1514
- URL-https://access.redhat.com/errata/RHSA-2023:1516
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.