vulnerability
Oracle Linux: CVE-2022-1471: ELSA-2022-9058-1: prometheus-jmx-exporter security update (IMPORTANT)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Oct 13, 2022 | Dec 16, 2022 | Dec 3, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Oct 13, 2022
Added
Dec 16, 2022
Modified
Dec 3, 2025
Description
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Solutions
oracle-linux-upgrade-prometheus-jmx-exporteroracle-linux-upgrade-prometheus-jmx-exporter-openjdk11oracle-linux-upgrade-prometheus-jmx-exporter-openjdk17oracle-linux-upgrade-prometheus-jmx-exporter-openjdk8
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.