Cyber Resilience

CVE-2022-31691

CriticalRCE

Published: 04 November 2022

Published
04 November 2022
Modified
02 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1281 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31691 is a critical-severity Code Injection (CWE-94) vulnerability in Vmware Bosh Editor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-31691 affects Spring Tools 4 for Eclipse versions 4.16.0 and earlier, along with several VSCode extensions including Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloudfoundry Manifest YML Support versions 1.39.0 and earlier. These components incorporate the Snakeyaml library to provide YAML editing features, and the library's support for certain special syntax can be abused to trigger remote code execution under specific conditions. The issue is tracked under CWE-94 and carries a CVSS 3.1 base score of 9.8.

An unauthenticated attacker can supply a malicious YAML document over the network that leverages Snakeyaml's deserialization behavior, resulting in arbitrary code execution on the affected system with full confidentiality, integrity, and availability impact.

The referenced VMware Tanzu advisories at https://tanzu.vmware.com/security/cve-2022-31691 provide official guidance on the vulnerability. The EPSS score reached a peak of 0.1361 with a current value of 0.1281, indicating moderate but not sharply increasing exploitation interest after disclosure.

EU & UK References

Vulnerability details

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML…

more

editing support. This library allows for some special syntax in the YAML that under certain circumstances allows for potentially harmful remote code execution by the attacker.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
bosh editor
1.0.0 — 1.40.0
vmware
cloudfoundry manifest yml support
1.0.0 — 1.40.0
vmware
concourse ci pipeline editor
1.0.0 — 1.40.0
vmware
spring boot tools
1.0.0 — 1.40.0
vmware
spring tools
4.0.0 — 4.16.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References