CVE-2022-1471 PoC — Remote Code execution in SnakeYAML

Source

https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC

Associated Vulnerability

Title:Remote Code execution in SnakeYAML (CVE-2022-1471)
Description:SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Description

Code for veracode blog

Readme

# SnakeYAML-CVE-2022-1471-POC
Code for veracode blog

To demonstrate the Code Execution, 
1. Build the project using maven 
2. Execute `python3 -m http.server 8080` to run the http server
3. Run `exploit.java`. You should observe a HTTP GET request on the server
4. To demonstrate how SnakeYAML 2.0 prevents the attack, comment out the 1.33 dependency in the `pom.xml`
5. Uncomment the 2.0 dependency, then rebuild the project, 
6. Comment out `exploit.java` and uncomment `Poc.java`
7. Run `Poc.java` and observe no GET request

File Snapshot


 [4.0K]  /data/pocs/e562d5919f84ec5ca40c5e67d6aa222bdd0a9773
├── [1.1K]  pom.xml
├── [ 529]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  org
                └── [4.0K]  example
                    ├── [ 756]  exploit.java
                    └── [1.2K]  Poc.java

5 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!