Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not "live" yet.
Gary On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <ohe...@apache.org> wrote: > CVE-2020-1953: Uncontrolled class instantiation when loading YAML files > in Apache Commons Configuration > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > 2.2 to 2.6 > > Description: > Apache Commons Configuration uses a third-party library to parse YAML > files which by default allows the instantiation of classes if the YAML > includes special statements. If a YAML file is from an untrusted source, > it can therefore load and execute code out of the control of the host > application. > > Mitigation: > Users should upgrade to to 2.7, which prevents class instantiation by > the YAML processor. > > Credit: > This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team > > Oliver Heger > on behalf of the Apache Commons PMC > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
