Re: [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration
The form at Mitre was just submitted, so I assume that the issue will be visible soon. Oliver Am 12.03.20 um 19:18 schrieb Gary Gregory: > Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not > "live" yet. > > Gary > > On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger wrote: > >> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files >> in Apache Commons Configuration >> >> Severity: Moderate >> >> Vendor: >> The Apache Software Foundation >> >> Versions Affected: >> 2.2 to 2.6 >> >> Description: >> Apache Commons Configuration uses a third-party library to parse YAML >> files which by default allows the instantiation of classes if the YAML >> includes special statements. If a YAML file is from an untrusted source, >> it can therefore load and execute code out of the control of the host >> application. >> >> Mitigation: >> Users should upgrade to to 2.7, which prevents class instantiation by >> the YAML processor. >> >> Credit: >> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team >> >> Oliver Heger >> on behalf of the Apache Commons PMC >> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
Re: [CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration
Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not "live" yet. Gary On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger wrote: > CVE-2020-1953: Uncontrolled class instantiation when loading YAML files > in Apache Commons Configuration > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > 2.2 to 2.6 > > Description: > Apache Commons Configuration uses a third-party library to parse YAML > files which by default allows the instantiation of classes if the YAML > includes special statements. If a YAML file is from an untrusted source, > it can therefore load and execute code out of the control of the host > application. > > Mitigation: > Users should upgrade to to 2.7, which prevents class instantiation by > the YAML processor. > > Credit: > This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team > > Oliver Heger > on behalf of the Apache Commons PMC > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: 2.2 to 2.6 Description: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. If a YAML file is from an untrusted source, it can therefore load and execute code out of the control of the host application. Mitigation: Users should upgrade to to 2.7, which prevents class instantiation by the YAML processor. Credit: This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team Oliver Heger on behalf of the Apache Commons PMC - To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
