Skip to main content



SnakeYAML Contructor False Positive

CVE 2022-1471open in new window will be flagged in Rundeck/Process Automation by tools as a vulnerability found in the codebase.

This is specific to SnakeYAML@1.33 and 1.32 versions. The vulnerability occurs when using the snakeyaml “Constructor” directly, but not when using "SafeConstructor". The Rundeck and Process Automation solutions do not use SnakeYAML "Constructor", it only uses "SafeConstructor".

The team is working on ways to mitigate the false finding and will update this page and Release Notes when we make progress.


Versions 5.0+ have the upgraded version of SnakeYAML and will not list this finding in scans.