CVE-2022-1471
CVE-2022-1471
SnakeYAML Contructor False Positive
CVE 2022-1471 will be flagged in Rundeck/Process Automation by tools as a vulnerability found in the codebase.
This is specific to SnakeYAML@1.33 and 1.32 versions. The vulnerability occurs when using the snakeyaml “Constructor” directly, but not when using "SafeConstructor". The Rundeck and Process Automation solutions do not use SnakeYAML "Constructor", it only uses "SafeConstructor".
The team is working on ways to mitigate the false finding and will update this page and Release Notes when we make progress.
Tips
Versions 5.0+ have the upgraded version of SnakeYAML and will not list this finding in scans.