oss-sec mailing list archives
[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration
From: Oliver Heger <oheger () apache org>
Date: Fri, 13 Mar 2020 07:33:45 +0100
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: 2.2 to 2.6 Description: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. If a YAML file is from an untrusted source, it can therefore load and execute code out of the control of the host application. Mitigation: Users should upgrade to to 2.7, which prevents class instantiation by the YAML processor. Credit: This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team Oliver Heger on behalf of the Apache Commons PMC
Current thread:
- [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration Oliver Heger (Mar 13)