CVE-2022-1471 - Use of SnakeYaml Constructor

[bisvo01]

Affects: \5.3.x, 6.0.x

CVE-2022-1471 has been reported against the SnakeYaml project 1.30+. Additional information can be found in the google/security-research project security post.

Related SnakeYaml issue states that the issue will not be fixed in SnakeYaml and:

We recommend using SnakeYaml's SafeConstructor when parsing untrusted content to restrict deserialization.

Spring Framework uses SnakeYaml so it potentially could be impacted, at least in:

• YamlProcessor@5.3.x
• YamlProcessor@6.0.x

Could someone please check if that's the case, or confirm that it can't be exploited?

Thank you.

[bclozel]

Spring Framework's YamlProcessor already restricts the types allowed to be loaded via its org.springframework.beans.factory.config.YamlProcessor#setSupportedTypes method. By default, only Java standard classes (as defined in SafeConstructor are allowed). With this limitation in place, I don't think the security issue you're pointing to can be leveraged.

Note that raising publicly potential CVEs with an open source project is dangerous and disrespectful. If you believe you've found a possible security vulnerability, please reach out via the appropriate channels.

The first lines of our issue template state:

< !--
!!! For Security Vulnerabilities, please go to https://spring.io/security-policy !!!
-- >

Also, see spring-projects/spring-boot#33457

[bisvo01]

Thanks for confirming that the YamlProcessor restricts the impact of the vulnerability.

All the information provided in this issue was already public (in a very conspicuous way). My intent here was not to report a new vulnerability, but to get help with assessing the impact of an existing publicly known one. To an outsider not knowledgeable about the project's codebase, that's a nontrivial help.