oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration

From: Oliver Heger <oheger () apache org>
Date: Fri, 13 Mar 2020 07:33:45 +0100
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
2.2 to 2.6

Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.

Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.

Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team

Oliver Heger
on behalf of the Apache Commons PMC
Previous By Date Next
Previous By Thread Next

Current thread: