CVE-2022-31691

Published: Nov 4, 2022Modified: May 2, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.

Affected (5)

Products: Vmware: Bosh Editor, Cloudfoundry Manifest Yml Support, Concourse Ci Pipeline Editor, Spring Boot Tools, Spring Tools

Vmware

5 products

Bosh Editor

Cloudfoundry Manifest Yml Support

Concourse Ci Pipeline Editor

Spring Boot Tools

Spring Tools

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Vmware Bosh Editor	From 1.0.0 to 1.40.0
Vmware Cloudfoundry Manifest Yml Support	From 1.0.0 to 1.40.0
Vmware Concourse Ci Pipeline Editor	From 1.0.0 to 1.40.0
Vmware Spring Boot Tools	From 1.0.0 to 1.40.0
Vmware Spring Tools	From 4.0.0 to 4.16.1

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://tanzu.vmware.com/security/cve-2022-31691

Source: security@vmware.com

Vendor Advisory

https://tanzu.vmware.com/security/cve-2022-31691

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.