[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Co
From: Oliver Heger <oheger () apache ! org>
Date: 2020-03-13 6:33:45
Message-ID: 2ea60db6-f798-f9c6-90c6-93b011257ff7 () apache ! org
[Download RAW message or body]
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
2.2 to 2.6
Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.
Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.
Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
Oliver Heger
on behalf of the Apache Commons PMC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic