CVE-2022-1471 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-1471 Interim 1 7 2023-08-23T23:33:00Z current 2022-12-02T00:55:26Z 2023-08-23T23:33:00Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-1471 SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Server Module 4.2 SUSE Manager Server Module 4.3 openSUSE Tumbleweed jackson-dataformat-csv-2.15.2-1.1 jackson-dataformat-properties-2.15.2-1.1 jackson-dataformat-toml-2.15.2-1.1 jackson-dataformat-yaml-2.15.2-1.1 jackson-dataformats-text-2.15.2-1.1 jackson-dataformats-text-javadoc-2.15.2-1.1 snakeyaml jackson-dataformat-csv-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-properties-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-toml-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-yaml-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformats-text-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformats-text-javadoc-2.15.2-1.1 as a component of openSUSE Tumbleweed snakeyaml as a component of SUSE Enterprise Storage 7 snakeyaml as a component of SUSE Enterprise Storage 7.1 snakeyaml as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS snakeyaml as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS snakeyaml as a component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS snakeyaml as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 snakeyaml as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 snakeyaml as a component of SUSE Linux Enterprise Real Time 15 SP3 snakeyaml as a component of SUSE Linux Enterprise Server 15 SP2-LTSS snakeyaml as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 snakeyaml as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP3 snakeyaml as a component of SUSE Manager Server Module 4.2 snakeyaml as a component of SUSE Manager Server Module 4.3 SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. CVE-2022-1471 openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1 SUSE Enterprise Storage 7.1:snakeyaml SUSE Enterprise Storage 7:snakeyaml SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:snakeyaml SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:snakeyaml SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:snakeyaml SUSE Linux Enterprise Module for Development Tools 15 SP4:snakeyaml SUSE Linux Enterprise Module for Development Tools 15 SP5:snakeyaml SUSE Linux Enterprise Real Time 15 SP3:snakeyaml SUSE Linux Enterprise Server 15 SP2-LTSS:snakeyaml SUSE Linux Enterprise Server for SAP Applications 15 SP2:snakeyaml SUSE Linux Enterprise Server for SAP Applications 15 SP3:snakeyaml SUSE Manager Server Module 4.2:snakeyaml SUSE Manager Server Module 4.3:snakeyaml important 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H