Upgrade to SnakeYaml 2.2 and use SafeConstructor to mitigate CVE-2022-1471
Related links:
- https://www.websec.ca/publication/Blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL
- https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
- https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
- https://medium.com/@snyksec/snakeyaml-2-0-solving-the-unsafe-deserialization-vulnerability-c29a0f08f152
It seems passing SafeConstructor
to Yaml
instances makes them safe, even in 1.x versions, regarding this particular CVE. The only problem with just using SafeConstructor
is that the 1.x versions will still be tagged with a CVE and scanners will not ignore that so the version upgrade is also necessary.
Note that 2.0 changes the default Yaml
constructor so that it will use SafeConstructor
so after upgrading the library, no code changes to Yaml construction should be needed unless you've been dealing with custom Java classes already in your use case.
Edited by Tuukka Lehtonen