You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Oliver Heger <oh...@apache.org> on 2020/03/12 17:53:31 UTC
[CVE-2020-1953] Uncontrolled class instantiation when loading YAML
files in Apache Commons Configuration
CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
in Apache Commons Configuration
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
2.2 to 2.6
Description:
Apache Commons Configuration uses a third-party library to parse YAML
files which by default allows the instantiation of classes if the YAML
includes special statements. If a YAML file is from an untrusted source,
it can therefore load and execute code out of the control of the host
application.
Mitigation:
Users should upgrade to to 2.7, which prevents class instantiation by
the YAML processor.
Credit:
This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
Oliver Heger
on behalf of the Apache Commons PMC
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [CVE-2020-1953] Uncontrolled class instantiation when loading
YAML files in Apache Commons Configuration
Posted by Oliver Heger <ol...@oliver-heger.de>.
The form at Mitre was just submitted, so I assume that the issue will be
visible soon.
Oliver
Am 12.03.20 um 19:18 schrieb Gary Gregory:
> Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not
> "live" yet.
>
> Gary
>
> On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <oh...@apache.org> wrote:
>
>> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
>> in Apache Commons Configuration
>>
>> Severity: Moderate
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> 2.2 to 2.6
>>
>> Description:
>> Apache Commons Configuration uses a third-party library to parse YAML
>> files which by default allows the instantiation of classes if the YAML
>> includes special statements. If a YAML file is from an untrusted source,
>> it can therefore load and execute code out of the control of the host
>> application.
>>
>> Mitigation:
>> Users should upgrade to to 2.7, which prevents class instantiation by
>> the YAML processor.
>>
>> Credit:
>> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
>>
>> Oliver Heger
>> on behalf of the Apache Commons PMC
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [CVE-2020-1953] Uncontrolled class instantiation when loading
YAML files in Apache Commons Configuration
Posted by Oliver Heger <ol...@oliver-heger.de>.
The form at Mitre was just submitted, so I assume that the issue will be
visible soon.
Oliver
Am 12.03.20 um 19:18 schrieb Gary Gregory:
> Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not
> "live" yet.
>
> Gary
>
> On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <oh...@apache.org> wrote:
>
>> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
>> in Apache Commons Configuration
>>
>> Severity: Moderate
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> 2.2 to 2.6
>>
>> Description:
>> Apache Commons Configuration uses a third-party library to parse YAML
>> files which by default allows the instantiation of classes if the YAML
>> includes special statements. If a YAML file is from an untrusted source,
>> it can therefore load and execute code out of the control of the host
>> application.
>>
>> Mitigation:
>> Users should upgrade to to 2.7, which prevents class instantiation by
>> the YAML processor.
>>
>> Credit:
>> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
>>
>> Oliver Heger
>> on behalf of the Apache Commons PMC
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [CVE-2020-1953] Uncontrolled class instantiation when loading
YAML files in Apache Commons Configuration
Posted by Gary Gregory <ga...@gmail.com>.
Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not
"live" yet.
Gary
On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <oh...@apache.org> wrote:
> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
> in Apache Commons Configuration
>
> Severity: Moderate
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> 2.2 to 2.6
>
> Description:
> Apache Commons Configuration uses a third-party library to parse YAML
> files which by default allows the instantiation of classes if the YAML
> includes special statements. If a YAML file is from an untrusted source,
> it can therefore load and execute code out of the control of the host
> application.
>
> Mitigation:
> Users should upgrade to to 2.7, which prevents class instantiation by
> the YAML processor.
>
> Credit:
> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
>
> Oliver Heger
> on behalf of the Apache Commons PMC
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [CVE-2020-1953] Uncontrolled class instantiation when loading
YAML files in Apache Commons Configuration
Posted by Gary Gregory <ga...@gmail.com>.
Note that https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1953 is not
"live" yet.
Gary
On Thu, Mar 12, 2020 at 1:53 PM Oliver Heger <oh...@apache.org> wrote:
> CVE-2020-1953: Uncontrolled class instantiation when loading YAML files
> in Apache Commons Configuration
>
> Severity: Moderate
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> 2.2 to 2.6
>
> Description:
> Apache Commons Configuration uses a third-party library to parse YAML
> files which by default allows the instantiation of classes if the YAML
> includes special statements. If a YAML file is from an untrusted source,
> it can therefore load and execute code out of the control of the host
> application.
>
> Mitigation:
> Users should upgrade to to 2.7, which prevents class instantiation by
> the YAML processor.
>
> Credit:
> This issue was discovered by Daniel Kalinowski of ISEC.pl Research Team
>
> Oliver Heger
> on behalf of the Apache Commons PMC
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>