8.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1471

GHSA ID

GHSA-mjmj-j48q-9wg2

EPSS Score

0.99857%

CWE

CWE-20

Published

12/12/2022

Updated

2/6/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-1471

CVE-2022-1471: SnakeYaml Constructor Deserialization Remote Code Execution

Summary

SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the target class. A ConstructorException is thrown, but only after a malicious payload is deserialized.

Severity

High, lack of type checks during deserialization allows remote code execution.

Proof of Concept

Execute bash run.sh. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000.

Example output of successful run of proof of concept:

$ bash run.sh

[+] Downloading snakeyaml if needed
[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
nc: no process found
[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
[+] An exception is expected.
Exception:
Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
 in 'string', line 1, column 1:
    payload: !!javax.script.ScriptEn ... 
    ^
Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
 in 'string', line 1, column 10:
    payload: !!javax.script.ScriptEngineManag ... 
             ^

	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
	at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
	at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
	at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
	at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
	at Main.main(Main.java:37)
Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
	at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
	at java.base/java.lang.reflect.Field.set(Field.java:780)
	at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
	... 9 more
[+] Dumping Received HTTP Request. Will not be empty if PoC worked
GET /proof-of-concept HTTP/1.1
User-Agent: Java/11.0.14
Host: localhost:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Further Analysis

Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.

Timeline

Date reported: 4/11/2022 Date fixed: 30/12/2022 Date disclosed: 10/13/2022

(GitHub Advisory)

8.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-1471

GHSA ID

GHSA-mjmj-j48q-9wg2

EPSS Score

0.99857%

CWE

CWE-20

Published

12/12/2022

Updated

2/6/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.yaml:snakeyaml	maven	<= 1.33	2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerable functions are identified based on the stack trace provided in the description of the vulnerability. The functions are part of the deserialization process in SnakeYaml and are related to the Constructor class, which is known to be vulnerable to remote code execution due to the lack of type checks during deserialization.

Vulnerable functions

org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep

Constructor.java

This method is part of the deserialization process and is vulnerable to remote code execution due to the lack of type checks during deserialization.

org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck

BaseConstructor.java

This method is involved in the deserialization process and could be related to the vulnerability.

org.yaml.snakeyaml.constructor.BaseConstructor.constructObject

BaseConstructor.java

This method is part of the deserialization process and is potentially related to the vulnerability.

org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument

BaseConstructor.java

This method is involved in the deserialization process and could be related to the vulnerability.

org.yaml.snakeyaml.Yaml.loadFromReader

Yaml.java

This method is part of the deserialization process and is potentially related to the vulnerability.

org.yaml.snakeyaml.Yaml.load

Yaml.java

This method is the entry point for the deserialization process and is potentially related to the vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry Sn*k*Y*ml's `*onstru*tor` *l*ss, w*i** in**rits *rom `S****onstru*tor`, *llows *ny typ* ** **s*ri*liz** *iv*n t** *ollowin* lin*: n*w Y*ml(n*w *onstru*tor(T*st**t**l*ss.*l*ss)).lo**(y*ml*ont*nt); Typ*s *o not **v* to m*t** t** typ*s o*

Reasoning

T** vuln*r**l* *un*tions *r* i**nti*i** **s** on t** st**k tr*** provi*** in t** **s*ription o* t** vuln*r**ility. T** *un*tions *r* p*rt o* t** **s*ri*liz*tion pro**ss in `Sn*k*Y*ml` *n* *r* r*l*t** to t** `*onstru*tor` *l*ss, w*i** is known to ** v

8.3

Basic Information

Concerned about an active attack path?

CVE-2022-1471: SnakeYaml Constructor Deserialization Remote Code Execution

Summary

Severity

Proof of Concept

Further Analysis

Timeline

8.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI