[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Co
From:       Oliver Heger <oheger () apache ! org>
Date:       2020-03-13 6:33:45
Message-ID: 2ea60db6-f798-f9c6-90c6-93b011257ff7 () apache ! org
[Download RAW message or body]

CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
2.2 to 2.6

Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.

Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.

Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team

Oliver Heger
on behalf of the Apache Commons PMC

[prev in list] [next in list] [prev in thread] [next in thread]