Security Announcement on CVE-2022-1471

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 27 June 2023, 10:30 PM CET

This CVE is ignored upstream:

The implementation in Spring Boot 2.7. does not use the SnakeYaml unsafe contructor, so it is not possible to trigger the exploit without explicit usage of the vulnerable code.