snakeyaml / snakeyaml / issues / #563 - CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization — Bitbucket

Issue #563 wontfix

Albert Wang created an issue 2022-12-04

A new vulnerability in SnakeYaml was reported on 2022-12-01 as CVE-2022-1471.

This is the NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-1471.

More information can be found in the google/security-research project security post.

Can anybody kindly have a look?

Thank you.

Comments (5)

Albert Wang reporter
- edited description
- 2022-12-04T21:21:10+00:00
Andrey Somov
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- 2022-12-05T02:32:50+00:00
Andrey Somov
It looks like these issues shoud never be closed, immediatly after it is closed it is re-created.
- 2022-12-05T02:34:35+00:00
Albert Wang reporter
Sorry, I didn’t notice this one.

https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in

I will close the ticket.
- 2022-12-05T04:29:22+00:00
Albert Wang reporter
- changed status to wontfix
Duplicate with https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- 2022-12-05T04:29:41+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: wontfix

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!