CVE-2022-1471

Name of the Vulnerable Software and Affected Versions SnakeYaml versions prior to 2.0 Bitbucket Data Center versions 7.17.x through 8.8.6 Bitbucket Server versions 7.17.x through 8.8.6 Confluence Data Center versions 6.13.x through 8.3.0 Confluence Server versions 6.13.x through 8.3.0

Description The SnakeYaml library's Constructor class does not restrict types that can be instantiated during deserialization, allowing an attacker to execute remote code by providing malicious YAML content. This issue affects multiple Atlassian products, including Bitbucket Data Center, Bitbucket Server, Confluence Data Center, and Confluence Server. Atlassian Cloud sites are not affected. The vulnerability can be exploited by deserializing YAML content provided by an attacker, leading to remote code execution.

Recommendations For SnakeYaml, upgrade to version 2.0 or beyond. For Bitbucket Data Center and Bitbucket Server, patch to version 7.21.16 (LTS), 8.8.7, 8.9.4 (LTS), 8.10.4, 8.11.3, 8.12.1, or later. For Confluence Data Center and Confluence Server, patch to version 7.19.17 (LTS), 8.4.5, 8.5.4 (LTS), 8.6.2 (Data Center Only), or 8.7.1 (Data Center Only). As a temporary workaround, consider using SnakeYaml's SafeConstructor when parsing untrusted content to restrict deserialization.