commons-configuration

ggregory Thu, 14 May 2026 04:18:56 -0700

Author: ggregory
Date: Thu May 14 11:18:43 2026
New Revision: 1092996

Log:
Document CVE-2026-45205


Modified:
   
websites/production/commons/content/proper/commons-configuration/security.html

Modified: 
websites/production/commons/content/proper/commons-configuration/security.html
==============================================================================
--- 
websites/production/commons/content/proper/commons-configuration/security.html  
    Wed May 13 18:43:43 2026        (r1092995)
+++ 
websites/production/commons/content/proper/commons-configuration/security.html  
    Thu May 14 11:18:43 2026        (r1092996)
@@ -1,6 +1,6 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 2.0.0 from 
src/site/xdoc/security.xml at 13 May 2026
+ | Generated by Apache Maven Doxia Site Renderer 2.0.0 from 
src/site/xdoc/security.xml at 14 May 2026
  | Rendered using Apache Commons Skin
 -->
 <html xmlns="http://www.w3.org/1999/xhtml"; lang="en">
@@ -38,8 +38,8 @@
         <div class="container-fluid">
           <a class="brand" 
href="https://commons.apache.org/proper/commons-configuration/";>Apache Commons 
Configuration &trade;</a>
           <ul class="nav">                    
-          <li id="publishDate">Last Published: 12 May 2026</li>
-    <li class="divider">|</li> <li id="projectVersion">Version: 2.15.0</li>
+          <li id="publishDate">Last Published: 13 May 2026</li>
+    <li class="divider">|</li> <li id="projectVersion">Version: 
2.15.1-SNAPSHOT</li>
   </ul>
           <div class="pull-right">  <ul class="nav">
             <li>
@@ -307,8 +307,8 @@
                     'Denial of service' here means causing resource usage 
disproportionate to the input size.
                 </p>
             </section>
-            <section><a 
id="CVE-2022-33980_prior_to_2.8.0.2C_RCE_when_applied_to_untrusted_input"></a>
-<h2>CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input</h2>
+            <section><a 
id="CVE-2022-33980.2C_prior_to_2.8.0.2C_RCE_when_applied_to_untrusted_input"></a>
+<h2>CVE-2022-33980, prior to 2.8.0, RCE when applied to untrusted input</h2>
                 
 <p>
                     On 2022-07-06, the Apache Commons Configuration team 
disclosed
@@ -392,8 +392,8 @@
                         </li>
                     </ul>
              </section>
-             <section><a 
id="CVE-2024-29131_prior_to_2.10.1.2C_Out-of-bounds_Write_vulnerability"></a>
-<h2>CVE-2024-29131 prior to 2.10.1, Out-of-bounds Write vulnerability</h2>
+             <section><a 
id="CVE-2024-29131.2C_prior_to_2.10.1.2C_Out-of-bounds_Write_vulnerability"></a>
+<h2>CVE-2024-29131, prior to 2.10.1, Out-of-bounds Write vulnerability</h2>
                
 <p>
                  On 2024-03-20, the Apache Commons Configuration team 
disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29131"; 
class="externalLink">CVE-2024-29131</a>.
@@ -406,8 +406,8 @@
                  The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840"; 
class="externalLink">CONFIGURATION-840</a>.
                </p>
              </section>
-             <section><a 
id="CVE-2024-29133_prior_to_2.10.1.2C_Out-of-bounds_Write_vulnerability"></a>
-<h2>CVE-2024-29133 prior to 2.10.1, Out-of-bounds Write vulnerability</h2>
+             <section><a 
id="CVE-2024-29133.2C_prior_to_2.10.1.2C_Out-of-bounds_Write_vulnerability"></a>
+<h2>CVE-2024-29133, prior to 2.10.1, Out-of-bounds Write vulnerability</h2>
                
 <p>
                  On 2024-03-20, the Apache Commons Configuration team 
disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2024-29133"; 
class="externalLink">CVE-2024-29133</a>.
@@ -420,6 +420,30 @@
                  The details are in <a 
href="https://issues.apache.org/jira/browse/CONFIGURATION-840"; 
class="externalLink">CONFIGURATION-841</a>.
                </p>
              </section>
+             <section><a 
id="CVE-2026-45205.2C_prior_to_2.15.0.2C_Apache_Commons_Configuration.3A_StackOverflowError_for_YAML_input_with_cycles"></a>
+<h2>CVE-2026-45205, prior to 2.15.0, Apache Commons Configuration: 
StackOverflowError for YAML input with cycles </h2>
+               
+<p>
+                 On 2026-05-14, the Apache Commons Configuration team 
disclosed <a href="https://www.cve.org/CVERecord?id=CVE-2026-45205"; 
class="externalLink">CVE-2026-45205</a>.
+               </p>
+               
+<p>
+                 When processing an untrusted configuration file, Commons 
Configuration will throw a StackOverflowError for YAML input with cycles.
+                 This issue affects Apache Commons: from 2.2 before 2.15.0.
+                 Users are recommended to upgrade to version 2.15.0, which 
fixes the issue.
+               </p>
+               
+<p>
+                 References:
+               </p>
+               
+<ul>
+                 
+<li><a href="https://www.cve.org/CVERecord?id=CVE-2026-45205"; 
class="externalLink">CVE-2026-45205</a></li>
+                 
+<li><a href="PR 
#a634">https://github.com/apache/commons-configuration/pull/634</a></li>
+               </ul>
+             </section>
         </section>
     <section><a id="Safe_Deserialization"></a>
 <h1>Safe Deserialization</h1>
@@ -445,4 +469,4 @@
                   </div>
   </body>
 
-</html>
\ No newline at end of file
+</html>

svn commit: r1092996 - websites/production/commons/content/proper/commons-configuration

Reply via email to