QwikSec

Security Database

CVE

CWE

Training

CVE-2020-1953

Published: Mar 13, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

Vendor	Product	Versions
Apache	Apache Commons Configuration	affected `2.2` affected `2.3` affected `2.4` affected `2.5` affected `2.6`

References

[camel-commits] 20200313 [camel] branch camel-3.1.x updated: Update Commons Configuration 2 due to CVE-2020-1953

mailing-list

x_refsource_MLIST

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269%40%3Ccommits.servicecomb.apache.org%3E

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.