Source: commons-configuration2 Version: 2.2-1 Severity: grave Tags: security upstream
Hi, The following vulnerability was published for commons-configuration2. CVE-2020-1953[0]: | Apache Commons Configuration uses a third-party library to parse YAML | files which by default allows the instantiation of classes if the YAML | includes special statements. Apache Commons Configuration versions | 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this | library. So if a YAML file was loaded from an untrusted source, it | could therefore load and execute code out of the control of the host | application. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-1953 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953 [1] https://www.openwall.com/lists/oss-security/2020/03/13/1 Regards, Salvatore