Security Announcement on CVE-2022-1471
We will update this announcement with new details as they emerge from our analysis. Please check back periodically.
Last update: 27 June 2023, 10:30 PM CET
This CVE is ignored upstream: https://github.com/spring-projects/spring-boot/issues/33457
The implementation in Spring Boot 2.7. does not use the SnakeYaml unsafe contructor, so it is not possible to trigger the exploit without explicit usage of the vulnerable code.