In December of last year, #Snyk reported on CVE-2022-1471 about #SnakeYaml 2.0. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. @brianverm provides solutions on Foojay :foojay: Today:

https://foojay.io/today/snakeyaml-2-0-solving-the-unsafe-deserialization-vulnerability/

#foojaytip

#SnakeYaml is a well-known #YAML 1.1 parser and emitter for #Java, by default in the spring-boot-starter. Recently, a vulnerability was reported for this package. This vulnerability can lead to arbitrary code execution. @brianverm from #Snyk to the rescue on Foojay :foojay: Today!

https://foojay.io/today/unsafe-deserialization-vulnerability-in-snakeyaml-cve-2022-1471/

#foojaytip

Reading the tone of the back’n’forth in this #SnakeYaml #security issue thread is painful to read: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
When you see the resolution came about from a voice-to-voice call - and a smaller scoped, easier to implement solution, that was deemed acceptable to all involved presented itself - it’s good to remember that sometimes…. meetings are good.
Hopefully SnakeYaml 2.0 gets released sooner than the biannual February date.

🚨 SnakeYaml, a YAML parser and emitter for Java, has a vulnerability that allows arbitrary code execution.

The flaw in its Constructor class doesn't restrict deserialized types. Learn more about this vulnerability: https://buff.ly/3iQxvqy

#Java #SnakeYaml #vulnerability #cve

⚠️ A vulnerability for #SnakeYaml, a well-known #YAML 1.1 parser and emitter for #Java, was recently reported https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/

Learn how CVE-2022-1471 can lead to arbitrary code execution and how best to mitigate it from
@brianverm