{"api_version":"1","generated_at":"2026-04-22T23:23:04+00:00","cve":"CVE-2022-1471","urls":{"html":"https://cve.report/CVE-2022-1471","api":"https://cve.report/api/cve/CVE-2022-1471.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-1471","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471"},"summary":{"title":"CVE-2022-1471","description":"SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.","state":"PUBLIC","assigner":"security@google.com","published_at":"2022-12-01 11:15:00","updated_at":"2023-11-19 15:15:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc","name":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc","refsource":"MISC","tags":[],"title":"[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0015/","name":"https://security.netapp.com/advisory/ntap-20230818-0015/","refsource":"MISC","tags":[],"title":"CVE-2022-1471 SnakeYAML Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479","refsource":"MISC","tags":[],"title":"snakeyaml / snakeyaml \n  / issues \n  / #561 - CVE-2022-1471 (vulnerability in deserialization)\n\n — Bitbucket","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2023/11/19/1","name":"http://www.openwall.com/lists/oss-security/2023/11/19/1","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"PyTorch Model Server Registration / Deserialization Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true","name":"https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true","refsource":"MISC","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2","name":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2","refsource":"MISC","tags":[],"title":"SnakeYaml: Constructor Deserialization Remote Code Execution · Advisory · google/security-research · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/mbechler/marshalsec","name":"https://github.com/mbechler/marshalsec","refsource":"MISC","tags":[],"title":"GitHub - mbechler/marshalsec","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-1471","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1471","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"1471","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"snakeyaml_project","cpe5":"snakeyaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"1471","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"snakeyaml_project","cpe5":"snakeyaml","cpe6":"1.30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-1471","qid":"160363","title":"Oracle Enterprise Linux Security Update for prometheus-jmx-exporter (ELSA-2022-9058-1)"},{"cve":"CVE-2022-1471","qid":"20342","title":"Oracle Database 21c Critical Patch Update - April 2023"},{"cve":"CVE-2022-1471","qid":"20396","title":"IBM DB2 Multiple Vulnerabilities (7095807)"},{"cve":"CVE-2022-1471","qid":"241019","title":"Red Hat Update for prometheus-jmx-exporter (RHSA-2022:9058)"},{"cve":"CVE-2022-1471","qid":"241186","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:0697)"},{"cve":"CVE-2022-1471","qid":"241214","title":"Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2023:0777)"},{"cve":"CVE-2022-1471","qid":"241301","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 7 (RHSA-2023:1512)"},{"cve":"CVE-2022-1471","qid":"241302","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 8 (RHSA-2023:1513)"},{"cve":"CVE-2022-1471","qid":"241303","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 9 (RHSA-2023:1514)"},{"cve":"CVE-2022-1471","qid":"241405","title":"Red Hat Update for Satellite 6.13 (RHSA-2023:2097)"},{"cve":"CVE-2022-1471","qid":"379104","title":"Atlassian Data Center and Server Remote Code Execution (RCE) Vulnerabilities (JSWSERVER-24756)"},{"cve":"CVE-2022-1471","qid":"379105","title":"Atlassian Bitbucket Data Center Remote Code Execution (RCE) Vulnerability (BSERV-14528)"},{"cve":"CVE-2022-1471","qid":"379149","title":"Atlassian Jira Service Management Server and Data Center Remote Code Execution (RCE) Vulnerability (JSDSERVER-14906)"},{"cve":"CVE-2022-1471","qid":"379452","title":"IBM Cognos Analytics Multiple Vulnerabilities (7123154)"},{"cve":"CVE-2022-1471","qid":"520012","title":"Atlassian Bitbucket Data Center and Server Remote Code Execution (CVE-2022-1471)"},{"cve":"CVE-2022-1471","qid":"731000","title":"Atlassian Confluence Data Center and Server Remote Code Execution (RCE) Vulnerability (CONFSERVER-91463)"},{"cve":"CVE-2022-1471","qid":"731002","title":"Atlassian Bitbucket Server Remote Code Execution (RCE) Vulnerability (BSERV-14528)"},{"cve":"CVE-2022-1471","qid":"731035","title":"Atlassian Data Center and Server Remote Code Execution (RCE) Vulnerabilities (JSWSERVER-24756)"},{"cve":"CVE-2022-1471","qid":"770175","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:0697)"},{"cve":"CVE-2022-1471","qid":"770178","title":"Red Hat OpenShift Container Platform 4.9. Security Update (RHSA-2023:0777)"},{"cve":"CVE-2022-1471","qid":"940858","title":"AlmaLinux Security Update for prometheus-jmx-exporter (ALSA-2022:9058)"},{"cve":"CVE-2022-1471","qid":"960565","title":"Rocky Linux Security Update for prometheus-jmx-exporter (RLSA-2022:9058)"},{"cve":"CVE-2022-1471","qid":"960924","title":"Rocky Linux Security Update for Satellite (RLSA-2023:2097)"},{"cve":"CVE-2022-1471","qid":"996013","title":"Python (Pip) Security Update for apache-submarine (GHSA-8hcr-5x2g-9f7j)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-1471","ASSIGNER":"security@google.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"SnakeYAML","product":{"product_data":[{"product_name":"SnakeYAML","version":{"version_data":[{"version_affected":"<=","version_name":"0","version_value":"2.0"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2","refsource":"MISC","name":"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"},{"url":"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479","refsource":"MISC","name":"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479"},{"url":"https://github.com/mbechler/marshalsec","refsource":"MISC","name":"https://github.com/mbechler/marshalsec"},{"url":"https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true","refsource":"MISC","name":"https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true"},{"url":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc","refsource":"MISC","name":"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc"},{"url":"https://security.netapp.com/advisory/ntap-20230818-0015/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230818-0015/"},{"url":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html","refsource":"MISC","name":"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}]}},"nvd":{"publishedDate":"2022-12-01 11:15:00","lastModifiedDate":"2023-11-19 15:15:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}