PT-2022-20891 · Spring · Spring Tools 4 For Eclipse+1
Zewei Zhang
·
Published
2022-11-04
·
Updated
2023-08-08
·
CVE-2022-31691
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spring Tools 4 for Eclipse version 4.16.0 and below
Spring Boot Tools version 1.39.0 and below
Concourse CI Pipeline Editor version 1.39.0 and below
Bosh Editor version 1.39.0 and below
Cloudfoundry Manifest YML Support version 1.39.0 and below
Description
The issue concerns the use of the Snakeyaml library for YAML editing support, which allows for special syntax in YAML files. Under certain circumstances, this can lead to potentially harmful remote code execution by an attacker.
Recommendations
For Spring Tools 4 for Eclipse version 4.16.0 and below, update to a version above 4.16.0 to resolve the issue.
For Spring Boot Tools version 1.39.0 and below, update to a version above 1.39.0 to resolve the issue.
For Concourse CI Pipeline Editor version 1.39.0 and below, update to a version above 1.39.0 to resolve the issue.
For Bosh Editor version 1.39.0 and below, update to a version above 1.39.0 to resolve the issue.
For Cloudfoundry Manifest YML Support version 1.39.0 and below, update to a version above 1.39.0 to resolve the issue.
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Boot Tools
Spring Tools 4 For Eclipse