CVE-2022-1471 - Remote Code Execution (RCE)

Abstract

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

The Oxygen products incorporate SnakeYaml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2022-1471

Severity: Critical

CVSS Score: 9.8

The SnakeYaml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-1471 vulnerability description. However, the Oxygen products does not use the Constructor() as described. For that reason, Oxygen XML products are not affected by this vulnerability.

Revision History

2023-10-24 Starting with Oxygen XML Author version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.

2023-10-24 Starting with Oxygen XML Developer version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.

2023-10-24 Starting with Oxygen XML Editor version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.

2023-10-24 Starting with Oxygen Publishing Engine version 26.0 build 2023100523, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.