Published: 04/11/2022 Updated: 08/08/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

Subscribe to Cloudfoundry Manifest Yml Support

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware cloudfoundry manifest yml support
vmware bosh editor
vmware concourse ci pipeline editor
vmware spring tools
vmware spring boot tools

A write-up of my (so far inconclusive) look into CVE-2022-31691

CVE-2022-31691 A write-up of my (so far inconclusive) look into CVE-2022-31691 Background I'm a frequent user of the Spring Tool Suite (STS) for Eclipse, and tend to rely on it to initialise new Spring Boot projects This vulnerability (see tanzuvmwarecom/security/cve-2022-31691) is an RCE which can be induced through unsafe loading of content from a yaml config

NVD-CWE-noinfo https://tanzu.vmware.com/security/cve-2022-31691 https://nvd.nist.gov https://github.com/SpindleSec/CVE-2022-31691

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-31691

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect