Vulnerability CVE-2022-1471


Published: 2022-12-01

Description:
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
PyTorch Model Server Registration / Deserialization Remote Code Execution
Spencer McIntyre
14.10.2023

 References:
https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

Copyright 2024, cxsecurity.com

 

Back to Top