Before the holiday break, I started looking at CVE-2022-1471 in Confluence and Bitbucket, which led me to trying to understand how SnakeYAML deserialization vulnerabilities actually work. It was quite the ride, full of open source drama and a plethora of related vulns. I wrote it all up in this blog post:

https://www.labs.greynoise.io/grimoire/2024-01-03-snakeyaml-deserialization/

#vuln #vulnerability #poc #java #deserialization #snakeyaml #yaml