CVE-2022-1471 - Remote Code Execution (RCE)
Severity: None2023-01-06
Abstract
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
The Oxygen products incorporate SnakeYaml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | None | Oxygen XML Author 25.0 build 2022121306 |
Oxygen XML Developer v25.0 and older | None | Oxygen XML Developer 25.0 build 2022121306 |
Oxygen XML Editor v25.0 and older | None | Oxygen XML Editor 25.0 build 2022121306 |
Oxygen Content Fusion v5.0.1 and older | None | Oxygen Content Fusion 5.0.2 build 2022121305 |
Oxygen Publishing Engine v25.0 and older | None | Oxygen Publishing Engine 25.0 build 2022121304 |
Detail
CVE-2022-1471
Severity: Critical
CVSS Score: 9.8
The SnakeYaml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-1471 vulnerability description. However, the Oxygen products does not use the Constructor() as described. For that reason, Oxygen XML products are not affected by this vulnerability.
Revision History
2023-10-24 Starting with Oxygen XML Author version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.
2023-10-24 Starting with Oxygen XML Developer version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.
2023-10-24 Starting with Oxygen XML Editor version 26.0 build 2023100905, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.
2023-10-24 Starting with Oxygen Publishing Engine version 26.0 build 2023100523, the SnakeYaml was updated to a newer version which includes a fix for CVE-2022-1471.