CVE-2022-1471: SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. Not sure we can do anything with no fixed version, mitigation will have to be done in consumers.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aee65fdfa0ce1abe59f9f4433f309fda95630e5f commit aee65fdfa0ce1abe59f9f4433f309fda95630e5f Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-03-19 14:49:00 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-03-20 07:26:41 +0000 dev-java/snakeyaml: add 2.0 - CVE-2022-1471 - skips 2 classes in META-INF/versions/9 due to https://bugs.gentoo.org/900433 Bug: https://bugs.gentoo.org/883853 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/30235 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/snakeyaml/Manifest | 1 + dev-java/snakeyaml/snakeyaml-2.0.ebuild | 76 +++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+)
Yeah, upstream calls this invalid: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471