Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2022-31691 Vulnerability Name: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Severity: MEDIUM Release Date: 2022-11-03 Description Spring Tools 4 for Eclipse versions 4.16.0 and earlier, as well as VSCode extensions (including Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloud Foundry Manifest YAML Support versions 1.39.0 and earlier), utilize the Snakeyaml library for YAML editing support. In certain scenarios, this library may allow special YAML syntax to lead to remote code execution. Affected Products and Versions Spring Tools 4 for Eclipse: Spring Tool Suite: 4.0.0 - 4.16.0 VSCode Extension: Spring Boot Tools: 1.0.0 - 1.39.0 VSCode Extension: Concourse CI Pipeline Editor: 1.0.0 - 1.39.0 VSCode Extension: Bosh Editor: 1.0.0 - 1.39.0 VSCode Extension: Cloud Foundry Manifest YAML Support: 1.0.0 - 1.39.0 Mitigation Eclipse: Upgrade STS4 to version 4.16.1 or later VSCode: Upgrade the above extensions to version 1.40.0 or later Acknowledgments This issue was identified and responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab. References https://servicedesk.eng.vmware.com/browse/VSRC-13947 History 2022-11-03: Initial vulnerability report published.