CVE-2022-1471

HIGH LAB

PyTorch Model Server Registration and Deserialization RCE

Title source: metasploit

Description

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Exploits (6)

nomisec WORKING POC 8 stars

by 1fabunicorn · poc

https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC

View Code ZIP pw:eip

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/snakeyaml-CVE-2022-1471

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by falconkei · poc

https://github.com/falconkei/snakeyaml_cve_poc

View Code ZIP pw:eip

nomisec NO CODE

by jelee2555 · poc

https://github.com/jelee2555/CVE-2022-1471-attacker

View Code ZIP pw:eip

nomisec WORKING POC

by seal-sec-demo-2 · poc

https://github.com/seal-sec-demo-2/yaml-payload

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Idan Levcovich, Guy Kaplan, Gal Elbaz, Swapneil Kumar Dash, Spencer McIntyre · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/torchserver_cve_2023_43654.rb

View Code ZIP pw:eip

References (11)

[Mailing List] http://www.openwall.com/lists/oss-security/2023/11/19/1

[Issue Tracking, Third Party Advisory] https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479

[Various Sources] https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html

[Exploit, Third Party Advisory] https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2

[Exploit, Third Party Advisory] https://github.com/mbechler/marshalsec

[Mailing List] https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

[Various Sources] https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c

[Exploit, Third Party Advisory] https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230818-0015/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240621-0006/

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html

Scores

CVSS v3 8.3

EPSS 0.9385

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Lab Environment

COMMUNITY

Community Lab

docker pull gcr.io/distroless/java:11

https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC

https://github.com/falconkei/snakeyaml_cve_poc

https://github.com/seal-sec-demo-2/yaml-payload

+2 more repos

View in Library

Details

CWE

CWE-502 CWE-20

Status published

Products (2)

org.yaml/snakeyaml 0 - 2.0Maven

snakeyaml_project/snakeyaml < 2.0

Published Dec 01, 2022

Tracked Since Feb 18, 2026