Affects: \5.3.x, 6.0.x
CVE-2022-1471 has been reported against the SnakeYaml project 1.30+. Additional information can be found in the google/security-research project security post.
Related SnakeYaml issue states that the issue will not be fixed in SnakeYaml and:
We recommend using SnakeYaml's SafeConstructor when parsing untrusted content to restrict deserialization.
Spring Framework uses SnakeYaml so it potentially could be impacted, at least in:
- YamlProcessor@5.3.x
- YamlProcessor@6.0.x
Could someone please check if that's the case, or confirm that it can't be exploited?
Thank you.
Comment From: bclozel
Spring Framework's YamlProcessor already restricts the types allowed to be loaded via its org.springframework.beans.factory.config.YamlProcessor#setSupportedTypes method. By default, only Java standard classes (as defined in SafeConstructor are allowed). With this limitation in place, I don't think the security issue you're pointing to can be leveraged.
Note that raising publicly potential CVEs with an open source project is dangerous and disrespectful. If you believe you've found a possible security vulnerability, please reach out via the appropriate channels.
The first lines of our issue template state:
< !-- !!! For Security Vulnerabilities, please go to https://spring.io/security-policy !!! -- >
Also, see spring-projects/spring-boot#33457
Comment From: bisvo01
Thanks for confirming that the YamlProcessor restricts the impact of the vulnerability.
All the information provided in this issue was already public (in a very conspicuous way). My intent here was not to report a new vulnerability, but to get help with assessing the impact of an existing publicly known one. To an outsider not knowledgeable about the project's codebase, that's a nontrivial help.