(commons-configuration) branch master updated: Document CVE-2026-45205

Thu, 14 May 2026 04:14:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

garydgregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-configuration.git


The following commit(s) were added to refs/heads/master by this push:
     new 31ed6d4b1 Document CVE-2026-45205
31ed6d4b1 is described below

commit 31ed6d4b1c95df1cc3fa736a6ec1658ff89a656f
Author: Gary Gregory <[email protected]>
AuthorDate: Thu May 14 11:14:36 2026 +0000

    Document CVE-2026-45205
---
 src/changes/changes.xml    |  4 ++--
 src/site/xdoc/security.xml | 23 ++++++++++++++++++++---
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 3ed190cf8..98d47ff87 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -29,10 +29,10 @@
       <!-- ADD -->
       <!-- UPDATE -->
     </release>
-    <release version="2.15.0" date="2026-05-11" description="Minor release 
with new features and updated dependencies; requires Java 8 or above.">
+    <release version="2.15.0" date="2026-05-11" description="Minor release 
with new features and updated dependencies; requires Java 8 or above; fixes 
CVE-2026-45205.">
       <!-- FIX -->
       <action type="fix" dev="ggregory" due-to="Gary Gregory">Disable include 
schemes http[s] by default, see AbstractFileLocationStrategy #633.</action>
-      <action type="fix" dev="ggregory" due-to="Erichen, Gary Gregory">Detect 
and avoid processing cycles in YAML input (YAMLConfiguration) #634.</action>
+      <action type="fix" dev="ggregory" due-to="Erichen, Gary 
Gregory">CVE-2026-45205: Detect and avoid processing cycles in YAML input 
(YAMLConfiguration) #634.</action>
       <action type="fix" dev="ggregory" due-to="Piotr P. Karwasz, Gary 
Gregory">Extend scheme validation to inner schemes of jar: URLs #636.</action>
       <!-- ADD -->
       <!-- UPDATE -->
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index d83817c96..95b9593d2 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -55,7 +55,7 @@ limitations under the License.
                     'Denial of service' here means causing resource usage 
disproportionate to the input size.
                 </p>
             </subsection>
-            <subsection name="CVE-2022-33980 prior to 2.8.0, RCE when applied 
to untrusted input">
+            <subsection name="CVE-2022-33980, prior to 2.8.0, RCE when applied 
to untrusted input">
                 <p>
                     On 2022-07-06, the Apache Commons Configuration team 
disclosed
                     <a 
href="https://www.cve.org/CVERecord?id=CVE-2022-33980";>CVE-2022-33980</a>
@@ -124,7 +124,7 @@ limitations under the License.
                         </li>
                     </ul>
              </subsection>
-             <subsection name="CVE-2024-29131 prior to 2.10.1, Out-of-bounds 
Write vulnerability">
+             <subsection name="CVE-2024-29131, prior to 2.10.1, Out-of-bounds 
Write vulnerability">
                <p>
                  On 2024-03-20, the Apache Commons Configuration team 
disclosed <a 
href="https://www.cve.org/CVERecord?id=CVE-2024-29131";>CVE-2024-29131</a>.
                </p>
@@ -135,7 +135,7 @@ limitations under the License.
                  The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-840</a>.
                </p>
              </subsection>
-             <subsection name="CVE-2024-29133 prior to 2.10.1, Out-of-bounds 
Write vulnerability">
+             <subsection name="CVE-2024-29133, prior to 2.10.1, Out-of-bounds 
Write vulnerability">
                <p>
                  On 2024-03-20, the Apache Commons Configuration team 
disclosed <a 
href="https://www.cve.org/CVERecord?id=CVE-2024-29133";>CVE-2024-29133</a>.
                </p>
@@ -146,6 +146,23 @@ limitations under the License.
                  The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840";>CONFIGURATION-841</a>.
                </p>
              </subsection>
+             <subsection name="CVE-2026-45205, prior to 2.15.0, Apache Commons 
Configuration: StackOverflowError for YAML input with cycles ">
+               <p>
+                 On 2026-05-14, the Apache Commons Configuration team 
disclosed <a 
href="https://www.cve.org/CVERecord?id=CVE-2026-45205";>CVE-2026-45205</a>.
+               </p>
+               <p>
+                 When processing an untrusted configuration file, Commons 
Configuration will throw a StackOverflowError for YAML input with cycles.
+                 This issue affects Apache Commons: from 2.2 before 2.15.0.
+                 Users are recommended to upgrade to version 2.15.0, which 
fixes the issue.
+               </p>
+               <p>
+                 References:
+               </p>
+               <ul>
+                 <li><a 
href="https://www.cve.org/CVERecord?id=CVE-2026-45205";>CVE-2026-45205</a></li>
+                 <li><a href="PR 
#634">https://github.com/apache/commons-configuration/pull/634</a></li>
+               </ul>
+             </subsection>
         </section>
     <section name="Safe Deserialization">
       <p>

Reply via email to