#SnakeYAML default usage assumed trusted input, and had a more restricted constructor.
There was a very long issue thread with multiple people arguing with the developer (some civil and making good points, some not so much) about making the default secure (assume untrusted input).
My thoughts reading the thread:
1. Rather than arguing with the developer, use the secure constructor work with scanner tooling to resolve positive.
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
#opensource #xz #opsec #cve
(continued)
[https://nvd.nist.gov/vuln/detail/CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) CVE-2022-1471 was reported about a day ago and it says > SnakeYaml's Constructor\(\) class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Before the holiday break, I started looking at CVE-2022-1471 in Confluence and Bitbucket, which led me to trying to understand how SnakeYAML deserialization vulnerabilities actually work. It was quite the ride, full of open source drama and a plethora of related vulns. I wrote it all up in this blog post:
https://www.labs.greynoise.io/grimoire/2024-01-03-snakeyaml-deserialization/
#vuln #vulnerability #poc #java #deserialization #snakeyaml #yaml
In December of last year, #Snyk reported on CVE-2022-1471 about #SnakeYaml 2.0. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. @brianverm provides solutions on Foojay 
Today:
https://foojay.io/today/snakeyaml-2-0-solving-the-unsafe-deserialization-vulnerability/
#SnakeYaml is a well-known #YAML 1.1 parser and emitter for #Java, by default in the spring-boot-starter. Recently, a vulnerability was reported for this package. This vulnerability can lead to arbitrary code execution. @brianverm from #Snyk to the rescue on Foojay Today!
https://foojay.io/today/unsafe-deserialization-vulnerability-in-snakeyaml-cve-2022-1471/
[https://nvd.nist.gov/vuln/detail/CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) CVE-2022-1471 was reported about a day ago and it says > SnakeYaml's Constructor\(\) class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
🚨 SnakeYaml, a YAML parser and emitter for Java, has a vulnerability that allows arbitrary code execution.
The flaw in its Constructor class doesn't restrict deserialized types. Learn more about this vulnerability: https://buff.ly/3iQxvqy
⚠️ A vulnerability for #SnakeYaml, a well-known #YAML 1.1 parser and emitter for #Java, was recently reported https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/
Learn how CVE-2022-1471 can lead to arbitrary code execution and how best to mitigate it from
@brianverm
❌ Ditto
Ron Bowes
Brian Vermeer
Foojay.io
Mark Derricutt (talios)
Markus Herhoffer
Liran Tal 
